General > General Technical Chat
Check your email address(s) and passwords for cyber security breaches
MK14:
Although, on the one hand, I want to basically praise, and agree with what you have been doing and done. On the other hand, ...
--- Quote from: Halcyon on January 11, 2023, 10:44:49 pm ---I checked the registered email addresses of all these users (just a small handful at this stage) and all but 1 have been compromised in a known data breach involving one or more third-parties.
Before anyone panics, it's important to stress that the breached sites/services do not include EEVblog, the forum or anything connected to Dave.
--- End quote ---
How exactly did they (the hackers/spammers, or whatever they should be called), know which emails, belonged to EEVblog members?
Did they (something on the lines of) have a big list of compromised emails (tens of thousands, or millions or more), and speculatively, attempt to use each one, to either log on or change passwords, on this forum.
Because if they did, and it was scripted/automated (on their side). Server/router/etc automated rules (whatever its called), possibly could have auto-banned the (presumably) single IP they used, for such attempted account breaching. I.e. A single IP address, shouldn't be able to try many different email addresses, without being challenged and/or given big/powerful captcha hurdles.
Also, the webpage which allows changing forgotten passwords (if applicable in this case, I don't know). Could have a powerful captcha, to hopefully largely advert mass automated scripts from trying out a massive lists of compromised email addresses.
One solution, would be an automatic, big captcha or set of them, when logging in to an account, which has been dormant for a period of time (no logins or posts). E.g. 1 Month.
The current CAPTCHA's, seem to be way too easy. E.g. One seems to always say what is 84 / 2, which of course is 42. But there is a second one, which is a little bit difficult, not not especially so.
Obviously there are many ways of improving (if necessary), such security. There could be add on packages, which improve it, for the forum software.
Maybe the differing country code (from the IP address), I presume. Could flag a possible security breach, and/or increase the number/difficulty of CAPTCHA's.
Halcyon:
Really good questions MK14, to which I don't have all the answers to.
Having spoken with Gnif (who administers the server side of things), I am satisfied that the breach did not occur on our end (I won't get into specifics). Among other things. should a list of usernames or email addresses have been leaked from our end, I'd expect a lot of users being sent automated emails with authentication failures. That hasn't happened. If it was a breach of both usernames and passwords, the fallout would have been far worse.
For all we know, it could have been part of the LastPass breach where usernames/passwords were stored alongside names of services or URLs. But that is pure speculation at this point. What I do suspect however is that the compromises against the forum accounts were automated, so we're probably looking at some kind of script or bot. In breaches of this nature, you don't tend to see actual humans plugging away at servers manually. The exceptions I've seen are some SQL injection attacks against low-hanging fruit, but even then, it still tends to be semi-automated.
We managed to identify that the traffic was coming from one particular IP address (which to no surprise, was a VPN). That IP has since been blocked and it looks like it has stopped the activity we were seeing previously. I suspect the automation in-place sees this as bad username/password and moves on to the next in the list, as opposed to changing IP addresses and re-trying. Again, this is just an educated guess at this point.
In terms of "what could be done" to protect against this and other types of spam/scams in the future is limited. I don't administer the server side of things and I'm not going to pretend to understand how SMF and it's plug-ins work. That's Gnif's specialty. I've never set up a forum server in my life. I've come up with suggestions in the past to improve functionality but sometimes it's the case where it's easier said than done, or implementation of one thing, breaks others. I'll let Gnif chime in here if he wants to.
I will say however that threat intelligence is a skill like any other and we don't want to completely give away our hand, what we know, or how we block threats. If someone is specifically targeting Dave and EEVblog, we want to keep them in the dark so they can't adjust their attack methods to get around specific mitigations.
alexanderbrevig:
Most likely this forum is on a list of known SMF installs. I don't think it's unlikely that the new twitter leak is to blame. Probably they found tweets from leaked accounts with url matcing their SMF dictionary. Then it's just a matter of trying those matches against this login.
I do not at all think they "know which emails, belonged to EEVblog members" but rather discovered a likelihood based on OSINT, and simply tried all the candidates.
madires:
--- Quote from: jpanhalt on January 13, 2023, 12:45:19 am ---The legacy of that stays with me. My email address that I shared with EEVBlog is personally identifiable, and if HIPAA applied, it should not be shared with anyone -- reputable or not -- without my permission.
--- End quote ---
Isn't HIPAA meant for medical data only?
Halcyon:
--- Quote from: alexanderbrevig on January 13, 2023, 12:31:18 pm ---Most likely this forum is on a list of known SMF installs. I don't think it's unlikely that the new twitter leak is to blame. Probably they found tweets from leaked accounts with url matcing their SMF dictionary. Then it's just a matter of trying those matches against this login.
I do not at all think they "know which emails, belonged to EEVblog members" but rather discovered a likelihood based on OSINT, and simply tried all the candidates.
--- End quote ---
Yep. You're probably right.
If you can think of a way to exploit a system or at least automate some kind of list, chances are someone, somewhere has already done it 10x better and faster.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version