PDA

View Full Version : Forum attack alert!



bob
11th November 2013, 08:16 PM
Forum attack alert! We've just removed a new member posting a seemingly valid message with a link to illustrate his "problem". When members would click the link, they'd find a page that was an exact replica of the FedoraForum login page and think they'd somehow logged out. If you logged in to the phony page, the identity thief would have been given access to your username and password and been able to post garbage in your name.

Hopefully, this is the only such attack we'll have, however if you ever find yourself unexpectedly "logged out", look carefully at the full address bar to confirm that you're really at fedoraforum.org . In this case the attacker used our forums.fedoraforum.org but also his attack site: museumsalama.com .

leigh123linux
11th November 2013, 09:32 PM
The date and time are also wrong and non-functional


attack link used

http://museumsalama.com/forums.fedoraforum.org/showthread.php%3fp=1675818%23post167581551/

Dan
11th November 2013, 09:37 PM
Lots of 404s, too. Most links are broken.

RHamel
11th November 2013, 09:52 PM
Is is my imagination, or has there been an increase all around in attacks?

Dan
11th November 2013, 10:04 PM
It's a straight copy, do you like my page spoof for this thread


Ayup. That's the same stuff.

Zyblin
12th November 2013, 01:59 AM
When I put in a user name and password, fake of course, it took me right back to the real fedora forums. If one wasn't paying attention they would not know what happened until it was much too late. I always tell people to glance at the url BEFORE they give their account info for what ever site they are on. Make sure they are familiar with the url and know if it changes or looks wrong, this can be done without memorizing every account url. Better to be slightly slower while being safe and observant rather than loosing because one is fast and reckless.

Thanks for the heads up on the attack.

jonnycat
12th November 2013, 03:04 AM
Jokes on them, I can't remember my password. :cool:

BBQdave
12th November 2013, 04:15 PM
If you logged in to the phony page, the identity thief would have been given access to your username and password and been able to post garbage in your name.

Just out of curiosity, what would the attacker hope to gain, other than childish vandalism? Or was the intent to spam through unsuspecting users?

Either way, pathetic :dis:

DBelton
12th November 2013, 04:28 PM
Well, if it were a regular user that they got username/password from, then it would be spamming or they would try the username/password on other sites as well hoping the person used the same combination elsewhere. But if it were an administrator user, they could pretty much take over the forum and wreak all kinds of havoc, in addition to the spamming and trying other sites.

I believe the main intent on grabbing usernames/passwords from forums is hoping that the user has used the same username/password combination on other sites, like banking sites, etc...

Edit:

This brings us around to something that has been said over and over for years, but a lot of people still haven't taken the advice...

Use a different username/password combination for each different site

nonamedotc
12th November 2013, 04:33 PM
Use a different username/password combination for each different site

After so many attacks on various sites in the recent past, I think this is the best advice to give anyone in this regard! :)

.... and a MUST DO!

BBQdave
12th November 2013, 05:05 PM
Use a different username/password combination for each different site

I would hope that this would be a given for most folks. A long string of random numbers and letters, some capital and some lower case. There are different ways to keep track of strong passwords - so there should be no reason not to use a strong password.

Myself, I carry around a bright orange notebook, marked Secret Passwords, in my pocket...

Just kidding :p

Zyblin
12th November 2013, 10:17 PM
I would hope that this would be a given for most folks. A long string of random numbers and letters, some capital and some lower case. There are different ways to keep track of strong passwords - so there should be no reason not to use a strong password.

Myself, I carry around a bright orange notebook, marked Secret Passwords, in my pocket...

Just kidding :p

That's nothing. I tattoo mine on the back of my hand. :blink:

Boricua
12th November 2013, 10:40 PM
Use a different username/password combination for each different site

That's where password managers such as KeePassX (my favorite) and Revelation become so useful. Each website with a different username/password combination.

hadrons123
19th November 2013, 08:05 AM
I think the attacker must have really worked hard to get this thing done. But sadly I doubt there is going to be any financial incentive.

DBelton
19th November 2013, 10:00 AM
I can't see where anyone would even think that doing something like that would have any financial gain in the first place. So, obviously the "attacker" had motives other than financial for doing it.

bob
19th November 2013, 01:33 PM
Dan, I agree. Seems to me that someone was attempting to hack us, trying to fix this: http://forums.fedoraforum.org/showthread.php?t=288582 :dance: (http://forums.fedoraforum.org/showthread.php?t=288582)

hadrons123
19th November 2013, 01:43 PM
My thread subscriptions are screwed. It doesn't reflect the new threads at all. It shows only few old ones about few months ago. Is any one else seeing this behavior?

Dan
19th November 2013, 01:54 PM
Nope. Sadly, mine are still current ... and right up there in the ten-thousands. <..:rolleyes:..>

pete_1967
19th November 2013, 09:25 PM
My thread subscriptions are screwed. It doesn't reflect the new threads at all. It shows only few old ones about few months ago. Is any one else seeing this behavior?

Almost had to ask what are the "thread subscriptions" but after spending several minutes to first find a link to anything resembling profile I then managed to find a link titled "List Subscriptions". I guess those are what you're talking about? I got 108 oldest dated 6th August 2006, newest 19th May 2013. No idea how they've ended there though.

It's well possible the trap is just a practise run.

Dan
19th November 2013, 09:26 PM
You have your user control panel set to subscribe to any thread you post to.

<..:p..>

pete_1967
19th November 2013, 09:45 PM
You have your user control panel set to subscribe to any thread you post to.

<..:p..>

Hmm, that's bit short then, it lists 108 threads, but I got 4,054 posts, that'd mean on average 40(ish) posts per thread?

Haaa! After more clicking around that cleverly disguised profile options area "User CP", I found "Default Thread Subscription Mode" in "Edit Options" and it says "Do not subscribe"! At some point in the past I must have been sober enough to select that option if it defaults to some other of the options.

FunkyRes
2nd December 2013, 06:19 PM
I would hope that this would be a given for most folks. A long string of random numbers and letters, some capital and some lower case. There are different ways to keep track of strong passwords - so there should be no reason not to use a strong password.

Myself, I carry around a bright orange notebook, marked Secret Passwords, in my pocket...

Just kidding :p

I have memory issues as the result of head injuries (I'm epileptic)

Using different password for each different site is very difficult.

I use unique passwords for sites that can cause me financial harm, but things like forums where I may go months and sometimes even years between visits, I tend to use the same password.

As far as strength of password, webmasters can also do a lot to prevent discovery of a password when their database is dumped because they are ignorant fools who don't use prepared statements thus opening themselves up to SQL injection.

Use a salt that is a function of the username when creating the hash.

John and Judy both think they are clever and have qwerty123456 as their passwod.

With most websites, the hash will be the same. That's bad.

but if the salt used is a function of the username (or some other unique identifier) then John and Judy despite having the same password will have very different hashes.

So when Cracker Jack gets a dump of the database, every hash is different and he can not determine which users have common passwords that can easily be brute-forced.

jago25_98
11th December 2013, 12:12 PM
I have to hand it to them, an ingenious attack!

srs5694
11th December 2013, 05:54 PM
I have to hand it to them, an ingenious attack!

Actually, it's a rather old trick. Somebody did fundamentally the same thing in my college computing center in the mid-1980s. Of course, they just set up a fake login screen on a terminal, rather than a fake Web page. That's a difference in the amount of data faked, though; the principle is the same.

mrlinuxmanz
12th December 2013, 01:01 AM
Any reason why the forum doesn't look at ssl? SSL fixes this type of stuff when properly implemented.

Only login at HTTPS:// links. Key your Cert private key safe. etc.

Himlad1519
14th December 2013, 11:27 PM
+1 vote for SSL by me as well :)

theking2
15th February 2014, 09:42 AM
I have memory issues as the result of head injuries (I'm epileptic)

Using different password for each different site is very difficult.



I cannot seem to be bother my brain with wastes of passwords. I rely on a password manager with password generator.

I don't know my password on this site, only my password manager. That increases my chances of plausible denyability whenever I write something stupid here.

(It wasn't me, must have been Keepassx who posted that :rolleyes:)

theking2
15th February 2014, 05:29 PM
Any reason why the forum doesn't look at ssl? SSL fixes this type of stuff when properly implemented.

Only login at HTTPS:// links. Key your Cert private key safe. etc.

You know what? I might buy you the certificate for two years. For real.

flyingfsck
15th February 2014, 07:10 PM
I keep my passwords in a text file in a public folder on dropbox. Nobody will ever dream to look for it there...

theking2
16th February 2014, 09:07 PM
I keep my passwords in a text file in a public folder on dropbox. Nobody will ever dream to look for it there...

But certainly your password is 123456, oh no, wait, I know, qwerty

Veeshush
19th February 2014, 11:54 PM
You know what? I might buy you the certificate for two years. For real.

Yeah, a lot of sites with forums I go on could truly care less about HTTPS cause of the cost and "Well we're not a banking/shopping site". I wish there was a more open and cheaper way to implement it for sites that really can't afford that kind of thing for what they do.

If anyone is considering getting it for this site, give these a look over:

https://www.ssllabs.com/

https://www.eff.org/https-everywhere/deploying-https and https://www.eff.org/ itself.

pete_1967
20th February 2014, 04:18 AM
Yeah, a lot of sites with forums I go on could truly care less about HTTPS cause of the cost and "Well we're not a banking/shopping site". If wish there was a more open and cheaper way to implement it for sites that really can't afford that kind of thing for what they do.

Cost of domain validated ceritifcate is peanuts nowadays, 1-2-3.reg are selling them for 9.99/ year, Comodo, GoDaddy and few others for just under 50, GeoTrust for just over 100/ year and even companies like Thawte don't charge more than $150/ year.

You can even get them for free if you're not too fussy: http://webdesign.about.com/od/ssl/tp/cheapest-ssl-certificates.htm

For site like this, there is no need to go full blown EV process, but offering encrypted signing would be nice.

dobbi
20th February 2014, 05:29 AM
I wish there was a fingerprinting plugin to check those critical pages for validity warning users if there was a mismatch. Oh well maybe at Christmas time :)

In the meantime since this is a link that loads an entire new page and counts on people being unaware that they have gone to another page, I wonder if the solution of DeviantArt wouldn't help here, every link you click in there that goes outside of their domain redirects to a page that inform users that they are leaving DeviantArt, the one thing I think they forgot is to tell the user why they do that, it doesn't need to be long just:


Resons for this:
* bla bla bla bla
* bla bla bla bla
* Redirection to fake login pages, trying to grab DeviantArt users passwords

lsatenstein
23rd February 2014, 06:35 PM
I wish there was a fingerprinting plugin to check those critical pages for validity warning users if there was a mismatch. Oh well maybe at Christmas time :)

In the meantime since this is a link that loads an entire new page and counts on people being unaware that they have gone to another page, I wonder if the solution of DeviantArt wouldn't help here, every link you click in there that goes outside of their domain redirects to a page that inform users that they are leaving DeviantArt, the one thing I think they forgot is to tell the user why they do that, it doesn't need to be long just:

Hi dobbi.

I wrote a scanner that takes a fingerprint of all files within and below a directory. Point the scanner to a high level directory, and it will take a signature(fingerprint) of each file within that directory and all sub-directories.

here is a very brief sample output (A few lines).
First column is the filename (I limited it to 32 chars)cd,
second is its date and time,
the third is the md5sum or if desired, sha1sum,
the final is the path to where the column1 file is stored.


md5 |20140204 2249|c99abf57fa86e748bb29ec349b320f1a|/home/leslie/bin
scandir |20140222 1656|d2721c15a7db983f53b6c74d33b2dad8|/home/leslie/bin
collect.sh |20140204 2249|2d3a9ded5d07e6c11ae9752411fe3845|/home/leslie/bin
collect.bak |20140204 2249|23c4c3886bc282644cd849afdc4532e5|/home/leslie/bin
mounted |20140222 1223|e41ffb351754914c95f4ee15eb8045f8|/home/leslie/bin
bkuptar.sh |20140204 2249|e84600fec4e28f0000f399d040dca3fc|/home/leslie/bin

This scanner was developed to use md5 or sha1 hashing. I included a blacklist (directory to skip over)

I was going to align it with a change management application.

If the output from the scanner is matched to a previous scan, inserts, deletes and changes from the previous scan are easily be detected.

In a way, this signature is the way many anti-virus programs work. If the signature matches what is on file, the file is not corrupted

It is written in C. If there is an interest, I could make it available.

Veeshush
26th February 2014, 02:02 AM
You can even get them for free if you're not too fussy: http://webdesign.about.com/od/ssl/tp/cheapest-ssl-certificates.htm

For site like this, there is no need to go full blown EV process, but offering encrypted signing would be nice.

I've been reading up more. These guys may offer a free one for this site: https://cert.startcom.org/

^ That's what Electronic Frontier Foundation (EFF) uses as well.

lsatenstein
26th February 2014, 01:56 PM
That's where password managers such as KeePassX (my favorite) and Revelation become so useful. Each website with a different username/password combination.

===
What do you do if you have three systems in three places. Is the KeepPassX file shareable via Dropbox or something similar?

pete_1967
26th February 2014, 06:42 PM
===
What do you do if you have three systems in three places. Is the KeepPassX file shareable via Dropbox or something similar?

Yes, you can keep it on a shared drive (network, "cloud", Dropbox etc), that's what I'm doing (though using Owncloud on my own server). I've got desktop, laptop, tablet & mobile all using same file. Only thing you need to remember is close it on client after use, otherwise it remains locked and you can't open it with another client. I do keep local copies of the database for backup purposes and I have it on Datashur USB stick for when there's no network available (remember you can use it for any kind of password & data snippet strorage using attachments).

meine
3rd March 2014, 11:10 PM
last weekend I noticed that on some pages the default url forums.fedoraforum.org changed to www fedoraforum org. everything looked the same, but somehow the loaded page responded not as normal. this happend especially on my User CP page where I wanted to change my mail address.

every time I noticed the change in url to www I closed the browser and started over again, by typing the correct url. also used different browsers to reconnect.

something to stay alert to!

not only to prevent strange posts on this forum, but more to prevent parts of your identity being stolen...

Boricua
6th March 2014, 10:42 PM
===
What do you do if you have three systems in three places. Is the KeepPassX file shareable via Dropbox or something similar?

pete_1967 is right. As I recall, Dropbox provides a folder named Crypted which provides some extra security. There's were I place my Keepassx file for shearing with my laptop, my Nexus 7 and my HTC One. But I take an additional security measure. Actually, I have two Keepassx files. The one I share via Dropbox is the one containing the least sensitive information. A second file with far more sensitive info, such as bank and credit cards accounts, resides in my desktop computer and its contents was only shared with my laptop via a flash drive and using my local network tools to share it with my tablet and phone.
Lately, I am also using ownCloud for sharing both files.

flyingfsck
7th March 2014, 06:29 AM
The keepass database is encrypted. Simply put it in dropbox folder.

I just use a very long password on it- flippen painful to type on a smartphone though!

lsatenstein
20th February 2016, 05:15 AM
When I put in a user name and password, fake of course, it took me right back to the real fedora forums. If one wasn't paying attention they would not know what happened until it was much too late. I always tell people to glance at the url BEFORE they give their account info for what ever site they are on. Make sure they are familiar with the url and know if it changes or looks wrong, this can be done without memorizing every account url. Better to be slightly slower while being safe and observant rather than loosing because one is fast and reckless.

Thanks for the heads up on the attack.

That puts the fear into using automatic login sofware such as Last-Pass

alphacrucis
22nd February 2016, 12:51 AM
If it hasn't already been mentioned - free certs here:

https://letsencrypt.org/

In public beta. Also provides a mechanism for automatic cert maintenance.

How to use letsencrypt with fedora:

https://fedoramagazine.org/letsencrypt-now-available-fedora/

Acropolis
20th March 2016, 01:42 AM
this is why i always use in any firefox ( even in my smartphones ) the noscript addon .

unfortunately google chrome has not any addon like this and i am only using chrome to test rhis type of attacks in kvm machines.

if you you want see what malicious site can do in your browser with javascript attacks check beEF documentation and videos or download a kaly image and install it in a virtual machine to test it.