Hacking & Security

[meowington]

If you make an account on let's say, some cooking forum and then use the same password & emailaccount for other forum accounts, like facebook, you're basically just handing out your facebook account to the cooking forum webmaster. That guy/girl only needs to take a list of registered accounts and try them at facebook. However stupid as this example may sound, it happens a gazillion times, even as we speak. I think hackers more often exploit stupity on the endusers' side than they exploit technical security breaches (like heartbleed). That's all Am I right ?

 

[Mal12345]

If you make an account on let's say, some cooking forum and then use the same password & emailaccount for other forum accounts, like facebook, you're basically just handing out your facebook account to the cooking forum webmaster. That guy/girl only needs to take a list of registered accounts and try them at facebook. However stupid as this example may sound, it happens a gazillion times, even as we speak. I think hackers more often exploit stupity on the endusers' side than they exploit technical security breaches (like heartbleed). That's all Am I right ?

How does the webmaster get your password?

 

[Qlip]

If you make an account on let's say, some cooking forum and then use the same password & emailaccount for other forum accounts, like facebook, you're basically just handing out your facebook account to the cooking forum webmaster. That guy/girl only needs to take a list of registered accounts and try them at facebook. However stupid as this example may sound, it happens a gazillion times, even as we speak. I think hackers more often exploit stupity on the endusers' side than they exploit technical security breaches (like heartbleed). That's all Am I right ?

Kinda. I believe this is happening, because it's easy to do. But with reputable forums, and with standard forum software, the passwords are encrypted and not accessible in-the-clear to anybody. Technically the forum doesn't even know your password, it just knows that what you typed in matches the password you specified when processed through some mathematical operations.

 

[meowington]

How does the webmaster get your password?

If it's a site that has been custom programmed by the webmaster, he/she can read it from his/her database.
I guess [MENTION=10714]Qlip[/MENTION] has a point : most predefined forum platforms use encrypted passes that even the webmaster can't read. But you never quite know what goes on on the other side of the veil.

 

[highlander]

If you make an account on let's say, some cooking forum and then use the same password & emailaccount for other forum accounts, like facebook, you're basically just handing out your facebook account to the cooking forum webmaster. That guy/girl only needs to take a list of registered accounts and try them at facebook. However stupid as this example may sound, it happens a gazillion times, even as we speak. I think hackers more often exploit stupity on the endusers' side than they exploit technical security breaches (like heartbleed). That's all Am I right ?

No that's not right exactly but there is truth to some of what you are saying. Software vulnerabilities and phishing are probably the biggest entry point these days.

Nobody has access to passwords here for example. VBulletin hashes them with MD5. A hashing function is like a one way encryption algorithm. When you login, it runs the hashing algorithm against what you entered and compares it to the hashed password in the database to see if they match. Of course you could program a site it to do whatever you wanted, including capturing people's passwords but I doubt many webmasters would care to bother. It's more likely that the site would get hacked and software installed to capture passwords or that your PC gets hacked with malware on it and the passwords would be stolen from your machine that way. It does happen sometimes however that databases with passwords are hacked though and it is not a good idea to use say your bank account password for other things.

 

[meowington]

Yeah phishing : another technique that relies on user stupidity rather than sophistication.
Or java plugins and other kinds of add-ons on certain websites. When you click accept you basically give full control to whoever programmed the thing, right!?

 

[highlander]

Yeah phishing : another technique that relies on user stupidity rather than sophistication.
Or java plugins and other kinds of add-ons on certain websites. When you click accept you basically give full control to whoever programmed the thing, right!?

Yes that's true but it typically includes a technical component, like a malware infected attached file.

 

[RDF]

If you make an account on let's say, some cooking forum and then use the same password & emailaccount for other forum accounts, like facebook, you're basically just handing out your facebook account to the cooking forum webmaster. That guy/girl only needs to take a list of registered accounts and try them at facebook. However stupid as this example may sound, it happens a gazillion times, even as we speak. I think hackers more often exploit stupity on the endusers' side than they exploit technical security breaches (like heartbleed). That's all Am I right ?

Speaking of Heartbleed, FYI here's a link to a two-minute video from The Wall Street Journal on how to deal with the Heartbleed hack, including providing a web address for a central site listing which major companies have patched their software:

http://live.wsj.com/video/heartblee...rtbleed#!F3DDAE69-31C7-4E8D-B7C0-306A6E3CD680

If anyone wants more background on the Heartbleed bug, WSJ has been doing lots of coverage; just use the search function at the WSJ home page.

 

[INTP]

Hackers doesent run websites to gather passwords, they hack websites and then gather the passwords. There was a really big case of this happening a while ago in diablo 3. This one diablo 3 fan site was hacked by some chinese people and gathered the passwords for a long time. People started wondering how its possible that so many people are getting hacked and finally they figured it was that one fan site that was hacked and they just tested everyones passwords if they were the same as their diablo 3 account. I think they got like tens of thousands of people, whose account they cleaned and sold the items/gold and then sold the accounts dirt cheap for someone else to use them as a spam bots in game.

 

[meowington]

Hackers doesent run websites to gather passwords, they hack websites and then gather the passwords. There was a really big case of this happening a while ago in diablo 3. This one diablo 3 fan site was hacked by some chinese people and gathered the passwords for a long time. People started wondering how its possible that so many people are getting hacked and finally they figured it was that one fan site that was hacked and they just tested everyones passwords if they were the same as their diablo 3 account. I think they got like tens of thousands of people, whose account they cleaned and sold the items/gold and then sold the accounts dirt cheap for someone else to use them as a spam bots in game.

Yeah I remember that. Didn't know the details behind it though.
I was an avid D3 player the first few months (Witch doctor mostly )

I started changing all my accounts (30+) yesterday, using a pass generator.
But even then I do not have the false pretention anymore that my data is exclusively mine.
That's one thing the last few years have learned.

 

[ptgatsby]

Nobody has access to passwords here for example. VBulletin hashes them with MD5. A hashing function is like a one way encryption algorithm. When you login, it runs the hashing algorithm against what you entered and compares it to the hashed password in the database to see if they match. Of course you could program a site it to do whatever you wanted, including capturing people's passwords but I doubt many webmasters would care to bother. It's more likely that the site would get hacked and software installed to capture passwords or that your PC gets hacked with malware on it and the passwords would be stolen from your machine that way. It does happen sometimes however that databases with passwords are hacked though and it is not a good idea to use say your bank account password for other things.

Just want to point out that MD5 is not at all secure. MD-5 may be better than SHA-1, but we are talking a maximum of hours regardless password length or complexity. We are upwards of 4 billion tests/second (MD-5, 2^32 to 2^33) on a standard PC. Any form of distributable computing power (eg: Amazon EC2, GPU tiers) can run a couple of orders of magnitude above that for about a dollar an hour (EC2 large gpu can run 64 parallel cores at about 2^33, afaik). Password ranges are about 2^38 to 2^46 in brute force, which translates to ~1 min to 273 hours. Note that 2^46 is rather extreme and is a 25+ character password. Unsalted means it takes that long to break everyone's password. Rainbow salts means you will have half the passwords in some variation of that time (say 5-50x).

Don't reuse passwords. Anyone with access to the database can have your password if they want to.

 

[highlander]

Just want to point out that MD5 is not at all secure. MD-5 may be better than SHA-1, but we are talking a maximum of hours regardless password length or complexity. We are upwards of 4 billion tests/second (MD-5, 2^32 to 2^33) on a standard PC. Any form of distributable computing power (eg: Amazon EC2, GPU tiers) can run a couple of orders of magnitude above that for about a dollar an hour (EC2 large gpu can run 64 parallel cores at about 2^33, afaik). Password ranges are about 2^38 to 2^46 in brute force, which translates to ~1 min to 273 hours. Note that 2^46 is rather extreme and is a 25+ character password. Unsalted means it takes that long to break everyone's password. Rainbow salts means you will have half the passwords in some variation of that time (say 5-50x).

Don't reuse passwords. Anyone with access to the database can have your password if they want to.

It's true. Anyone with access to the password encrypted database can crack passwords. That poses a risk to other systems the person may have access to if they use the same password.

 

[Retmeishka]

Yeah phishing : another technique that relies on user stupidity rather than sophistication.
Or java plugins and other kinds of add-ons on certain websites. When you click accept you basically give full control to whoever programmed the thing, right!?

I could be wrong, but I think I remember reading about how 'yes' and 'no' don't mean anything, they mean whatever the programmer wants them to mean. You could just as well be pushing a button that says 'green' or 'blue.' Any button you push on the dialog box does whatever the programmer wanted it to mean, I think (but again I could be wrong). And if I recall, some malware just does whatever it wants to do regardless of what buttons you push. You don't have to push any buttons on any dialog boxes at all. They just get in. I know because I tried, and failed, to fight the battle against constant harassment from some unknown hacker(s) years ago, and did some research on it.

 

[Ginkgo]

Kinda. I believe this is happening, because it's easy to do. But with reputable forums, and with standard forum software, the passwords are encrypted and not accessible in-the-clear to anybody. Technically the forum doesn't even know your password, it just knows that what you typed in matches the password you specified when processed through some mathematical operations.

^

 

[meowington]

I could be wrong, but I think I remember reading about how 'yes' and 'no' don't mean anything, they mean whatever the programmer wants them to mean. You could just as well be pushing a button that says 'green' or 'blue.' Any button you push on the dialog box does whatever the programmer wanted it to mean, I think (but again I could be wrong). And if I recall, some malware just does whatever it wants to do regardless of what buttons you push. You don't have to push any buttons on any dialog boxes at all. They just get in. I know because I tried, and failed, to fight the battle against constant harassment from some unknown hacker(s) years ago, and did some research on it.

Yes very true. You could be pushing a "no" or "cancel" button and it will execute what the "hacker" wants anyway. Even doing a simple "mouse over" movement, could trigger some malicious code, if your browsers security settings allow it.

 

[Retmeishka]

Even doing a simple "mouse over" movement

EVEN JUST THINKING ABOUT IT, ha ha. I forgot about mouse over, but yeah, you're right. I actually had a policy for a while there when I would get a weird popup box on my browser - I would just alt-tab or click some other tab to just get away from the page, and then shut the page down without even touching the dialog box. But I had actually forgotten why that was my policy. (This was back when I was still trying to troubleshoot the computer problem and/or avoid being hacked into. I haven't been that worried about it for a long time now.)