Check your email address(s) and passwords for cyber security breaches

[Halcyon]

Not all of us are as savvy as you and a few others are about such spoofs.  Nor do I intend to become that savvy.  If the site you presented as safe is not safe, then that assertion needs to be corrected.  Fact is, I have rarely gotten such clearly dangerous emails.  The temporal relation to "checking" as you suggest cannot be ignored.  Whether that is important to Dave is his choice.  My decision has already been made.  The link you provided has been deleted and my trust in you has been affected.  Not that that any of that matters to a site this size.

Savvy or not, even careful individuals will probably have personal information leaked at some point.

It's a shame you didn't find the resource I presented as useful to you, but that's OK, it's completely your decision whether to use a particular service or not.

At the end of the day, I took steps to investigate and ensure that the breach didn't occur on EEVblog's end and I presented what I know to everyone, so that individuals can make an informed decision about whether or not to change passwords, implement MFA etc... I don't believe in closing my eyes and blocking my ears, and pretending everything is normal. I can almost guarantee that if the forum was breached or subject to a data breach, and we did nothing about it or inform the users, a lot of people would be quite upset.

[jpanhalt]

You are missing my real concern.  It is not whether I am foolish enough to enter my email address on such a site.  It is that YOU, unknown to us, did that with some of our email addresses.  Who gave you permission to do that?

[james_s]

You are missing my real concern.  It is not whether I am foolish enough to enter my email address on such a site.  It is that YOU, unknown to us, did that with some of our email addresses.  Who gave you permission to do that?

What are you talking about? It's a reputable site, it doesn't do anything with your email address and if he tried it with your email address it means that your address was already compromised. He doesn't need permission to do that, you voluntarily gave your email address to this site when you signed up.

[Halcyon]

You are missing my real concern.  It is not whether I am foolish enough to enter my email address on such a site.  It is that YOU, unknown to us, did that with some of our email addresses.  Who gave you permission to do that?

No one gave me "permission", but to be quite blunt, no one's information was used in an irresponsible or unsafe manner, nor shared or stored anywhere else beyond this forum.
When you sign up or use any service, be it on the internet or otherwise, you're entrusting that it's being owned and operated by sensible and knowledgeable people. EEVblog is no different. Dave knows me personally, knows my background and qualifications and has entrusted a small handful of us with the administration and moderation of this forum. That includes access to the information you voluntarily provide upon sign-up. You're also trusting that the service itself (in this case SMF 2.0.18) does the job and fulfills your needs and expectations.

You might disagree with my methods, and that's OK, you weren't involved nor impacted. You seem to be making an issue out of a non-issue.

My final word on this matter is, it's impossible to keep everyone happy. Someone will always complain about an action or inaction, or the way something was said. I'm not here to preserve your feelings and emotions, I'm here to do the best job I know how as a moderator, and contribute positively to this forum and to Dave's operations. I believe in sharing knowledge and wisdom gained over many years of experience and education, that will not change as long as I'm alive. I refuse to hide behind anything, all of this is out in the open for all to see and comment on, including Dave. If he wants to give me a smack, I'll accept that.

[jpanhalt]

Maybe nothing was compromised, but maybe you can fill us in on how you did it?

I checked the registered email addresses of all these users (just a small handful at this stage) and all but 1 have been compromised in a known data breach involving one or more third-parties.

Was that done by you with a printout of such sites, or did you enter the email addresses into some service?  Was that service safe or was it the one you linked to?

[alexanderbrevig]

https://www.eevblog.com/forum/chat/forum-rules-please-read/

Only the moderators and administrators can access it [email], and will only do so for the purposes of administration.

Proactively investigating possible explanations for an increase in apparent spam from known users seems totally fine by me.
Keep in mind that the alternative, to just pretend nothing is going on - could lead to a compromised moderator which could lead to unpleasant surprises for many of us.

Let's lower our pitch forks and continue to the next thread?

[alexanderbrevig]

Was that service safe or was it the one you linked to?

The linked service is safe. Please read and understand page 1 of this thread. Thanks.

[Halcyon]

Maybe nothing was compromised, but maybe you can fill us in on how you did it?

I checked the registered email addresses of all these users (just a small handful at this stage) and all but 1 have been compromised in a known data breach involving one or more third-parties.

Was that done by you with a printout of such sites, or did you enter the email addresses into some service?  Was that service safe or was it the one you linked to?

The breached email addresses used to sign-up to this forum were checked using the HIBP API/service. It was both safe and the same service I linked to in my original post.

The link was provided so that others (not involved in the small handful of accounts that were breached) could benefit from the same, secure and beneficial service, should they wish to do so.

I apologise if my methods were not made clear initially. My focus was ensuring that everyone knew things were fine on our end.

[sarge]

Sounds like some people need to research what they read, and stop coming to immediate conclusions. That said, compromises and breaches happen too much anymore, so I'm happy a moderator like Halcyon took the time to check into it. Cheers!

[jpanhalt]

 @Halcyon,

I can accept that and the fact that you think that site is safe.  We come from quite different spheres.  In my field in the USA, we are legally bound by restrictions placed by HIPAA (https://www.hhs.gov/hipaa/for-professionals/privacy/index.html), which is often pronounced as if spelled "hippa."  Basically, with one notable exception, a physician cannot share personally identifiable information with anyone without explicit permission from the patient.  That includes anything in the chart.  The one exception is by and within insurance companies -- their lobbyists were better financed, so some skeptics say.

That law hit practicing physicians by surprise.  For example, in some instances, a surgeon was not allowed to share the patient's chart with the surgical pathologist without explicit permission, and permission forms at the time did not include that.  That was almost a disaster for hospital based physicians.  Pathologist were affected most as they infrequently actually see the patient to ask permission.  That problem has largely been fixed. 

The legacy of that stays with me.  My email address that I shared with EEVBlog is personally identifiable, and if HIPAA applied, it should not be shared with anyone -- reputable or not -- without my permission.  "Business associate" or not, and so forth. Such a law doesn't exist in the US or Australia to my knowledge, but I think it is worth considering whether the concept can be adapted reasonably to the problem you face in combating spammers and worse.

It's a given that moderators need access to email addresses to do their jobs.  If you could download the database from that site and then test individual email addresses against that database locally might be safe.  But that database is probably huge, and the site owner has good reasons not to share it.  Would it be practical only to download email addresses associated with certain domains or domains +partial addresses associated with suspected bad actors, and then test their actual addresses against the addresses you have locally?  I don't know enough of the subject to suggest a reasonable solution, but my background leads me to not share information, regardless of how much I may trust the other entity, without getting a potentially affected individual's permission.

Anyway, any breach was done by me checking my email address, not you.  I accept accountability for doing that.

[Halcyon]

I'm aware of HIPAA and other such privacy regulations (mostly in Australia). My day job (which happens to be in cybersecurity) involves conducting security assessments as well as investigating breaches. Some of these breaches are "reportable" (for example, financial sectors). We do have privacy laws in Australia which do control how and what information is shared and of course that varies among organisations and industries. Since we're talking about laws and regulations, in this particular instance, I'm not bound by legislation to seek your permission, but that's getting beyond the scope of what happened/what we are talking about. You may object based on your own personal opinions and morals.

I agree with you, an email address is personally identifiable (in most respects) and whilst I understand where you're coming from and the concerns you raised, let me make it clear that your (or anyone else's) email address was not "shared" with anyone. It has not been stored anywhere except for the servers that run the EEVblog forum (and that's because you provided it). There is a clear distinction between "sharing" and my actions of submitting an email address for checking against a known list and then having that data discarded. No one else but me saw or will ever see those address.

Also, whilst HIBP does provide a list of compromised password hashes for anyone to download, it does not (and will never) supply a complete dump of compromised email addresses. That is the opposite to cybersecurity and is not what that service is about.

At the end of the day, I stand by my actions and strongly believe they were reasonable and justifiable. My actions were ultimately for the greater good. Should the breach actually have occurred on our end, I suspect people would have a very different reaction. Damned if you do, damned if you don't.

[thm_w]

Imagine caring about security of others and having people complain that you brought it up.

[Shock]

In the world of security posting credentials used on one website to another non related website is the worst idea ever (as already stated). Even if it is "trusted", which is a total fallacy.

Better advice is use unique strong passwords and if required ensure a reliable recovery method to regain access to a lost email account. If you suspect a website account has been compromised check the recovery email and security questions etc and then change passwords, again unique and strong.

I know the argument claiming their info was already in the public domain is enticing but users would reasonably expect those details (especially if hidden) not to be entered into another website without permission.

[Halcyon]

At the end of the day, the advice I have given is sound, but it doesn't work for everyone. Just like not everyone likes long, complex passwords, or the use of password managers. Adopt your own cybersecurity posture in a way that suits you based on some of the fundamental principles. There are countless sources of reliable information out there from plenty of other industry experts, as I said, you don't have to take my word for it, conduct your own research and make your own assessments.

We could go back and forth for weeks. I've said what I've said, I've done what I've done. Upon review, I wouldn't have approached things any differently.

Unless there are any further developments, I consider this matter appropriately dealt with. Feel free to discuss among yourselves.

[Monkeh]

 

[MK14]

Although, on the one hand, I want to basically praise, and agree with what you have been doing and done.  On the other hand, ...

I checked the registered email addresses of all these users (just a small handful at this stage) and all but 1 have been compromised in a known data breach involving one or more third-parties.
Before anyone panics, it's important to stress that the breached sites/services do not include EEVblog, the forum or anything connected to Dave.

How exactly did they (the hackers/spammers, or whatever they should be called), know which emails, belonged to EEVblog members?

Did they (something on the lines of) have a big list of compromised emails (tens of thousands, or millions or more), and speculatively, attempt to use each one, to either log on or change passwords, on this forum.

Because if they did, and it was scripted/automated (on their side).  Server/router/etc automated rules (whatever its called), possibly could have auto-banned the (presumably) single IP they used, for such attempted account breaching.  I.e. A single IP address, shouldn't be able to try many different email addresses, without being challenged and/or given big/powerful captcha hurdles.

Also, the webpage which allows changing forgotten passwords (if applicable in this case, I don't know).  Could have a powerful captcha, to hopefully largely advert mass automated scripts from trying out a massive lists of compromised email addresses.

One solution, would be an automatic, big captcha or set of them, when logging in to an account, which has been dormant for a period of time (no logins or posts).  E.g. 1 Month.

The current CAPTCHA's, seem to be way too easy.  E.g. One seems to always say what is 84 / 2, which of course is 42.  But there is a second one, which is a little bit difficult, not not especially so.

Obviously there are many ways of improving (if necessary), such security.  There could be add on packages, which improve it, for the forum software.

Maybe the differing country code (from the IP address), I presume.  Could flag a possible security breach, and/or increase the number/difficulty of CAPTCHA's.

[Halcyon]

Really good questions MK14, to which I don't have all the answers to.

Having spoken with Gnif (who administers the server side of things), I am satisfied that the breach did not occur on our end (I won't get into specifics). Among other things. should a list of usernames or email addresses have been leaked from our end, I'd expect a lot of users being sent automated emails with authentication failures. That hasn't happened. If it was a breach of both usernames and passwords, the fallout would have been far worse.

For all we know, it could have been part of the LastPass breach where usernames/passwords were stored alongside names of services or URLs. But that is pure speculation at this point. What I do suspect however is that the compromises against the forum accounts were automated, so we're probably looking at some kind of script or bot. In breaches of this nature, you don't tend to see actual humans plugging away at servers manually. The exceptions I've seen are some SQL injection attacks against low-hanging fruit, but even then, it still tends to be semi-automated.

We managed to identify that the traffic was coming from one particular IP address (which to no surprise, was a VPN). That IP has since been blocked and it looks like it has stopped the activity we were seeing previously. I suspect the automation in-place sees this as bad username/password and moves on to the next in the list, as opposed to changing IP addresses and re-trying. Again, this is just an educated guess at this point.

In terms of "what could be done" to protect against this and other types of spam/scams in the future is limited. I don't administer the server side of things and I'm not going to pretend to understand how SMF and it's plug-ins work. That's Gnif's specialty. I've never set up a forum server in my life. I've come up with suggestions in the past to improve functionality but sometimes it's the case where it's easier said than done, or implementation of one thing, breaks others. I'll let Gnif chime in here if he wants to.

I will say however that threat intelligence is a skill like any other and we don't want to completely give away our hand, what we know, or how we block threats. If someone is specifically targeting Dave and EEVblog, we want to keep them in the dark so they can't adjust their attack methods to get around specific mitigations.

[alexanderbrevig]

Most likely this forum is on a list of known SMF installs. I don't think it's unlikely that the new twitter leak is to blame. Probably they found tweets from leaked accounts with url matcing their SMF dictionary. Then it's just a matter of trying those matches against this login.

I do not at all think they "know which emails, belonged to EEVblog members" but rather discovered a likelihood based on OSINT, and simply tried all the candidates.

[madires]

The legacy of that stays with me.  My email address that I shared with EEVBlog is personally identifiable, and if HIPAA applied, it should not be shared with anyone -- reputable or not -- without my permission.

Isn't HIPAA meant for medical data only?

[Halcyon]

Most likely this forum is on a list of known SMF installs. I don't think it's unlikely that the new twitter leak is to blame. Probably they found tweets from leaked accounts with url matcing their SMF dictionary. Then it's just a matter of trying those matches against this login.

I do not at all think they "know which emails, belonged to EEVblog members" but rather discovered a likelihood based on OSINT, and simply tried all the candidates.

Yep. You're probably right.

If you can think of a way to exploit a system or at least automate some kind of list, chances are someone, somewhere has already done it 10x better and faster.

[madires]

Because if they did, and it was scripted/automated (on their side).  Server/router/etc automated rules (whatever its called), possibly could have auto-banned the (presumably) single IP they used, for such attempted account breaching.  I.e. A single IP address, shouldn't be able to try many different email addresses, without being challenged and/or given big/powerful captcha hurdles.

Some botnets are a bit more professional and perform controlled distributed attacks/scans, i.e. from many different IP addresses with random delays to hide their activity in the common noise created by the bad guys. Can be quite hard to spot.

[AndyBeez]

@Halcyon: ever feel you're p*ssing in the breeze with some of these guys?

[magic]

To be fair, typing your users' email addresses into some random 3rd party website would probably be illegal under current EUSSR regulations; dunno how the situation is in Oz.

[Shock]

At the end of the day, the advice I have given is sound, but it doesn't work for everyone.

Not sound advice, which is why people are bringing it up.

There are circumstances where it's acceptable (if you ask for permission) but I think you are confusing forum members credentials with your employee or clients credentials.

The bit about who you work for, your government customers, the password management you use, the fact you are getting spam in your inbox, all useful to hackers. Quick harvest of all the published emails on the forum and a phishing attack linking to this thread with all the people backing you up saying this is good advice makes it easier to exploit the situation.

Which is why it's never a good idea to discuss security stuff openly on the forum which hopefully you may take onboard with the other advice given.

[MK14]

Some botnets are a bit more professional and perform controlled distributed attacks/scans, i.e. from many different IP addresses with random delays to hide their activity in the common noise created by the bad guys. Can be quite hard to spot.

I agree, and think it is generally accepted.  That some of the measures I mentioned (and similar techniques), pick up or prevent (wild estimate) 50% to 90% of possible attacks.  But that is still at least an improvement.

On the bright side though.  This website (forum), seems to only primarily record peoples email addresses and some metadata (their IP addresses etc).  So, unless a user shares more information (e.g. by using a password shared with other things), or provides more contact information etc.  There is relatively little information, powerful hacks on the forum webserver, would be able to obtain.

As I see it.  If you have used that same email address, on 25 to 200+ websites, already.  Sooner or later (but not definitely), that email address, will risk becoming relatively common knowledge, to some bad guys, sooner or later.