So plain text information on username and passwords? A bit like in '90s.
Not worrid about password, but more like have the hackers gained access to the emails of users.
|
It is extremely unlikely that peoples emails have been accessed as a reult of anything happening on the hj site.
There is an outside possibility that if someone used the same password for everything (a very bad idea) then they may be open if their email address and password have been obtained.
|
|
|
|
You also say the server was not compromised - how did the hackers gain access to the user names and passwords if they did not get into the server?
There is a site administration section. Someone outside unfortunately got hold of an admin username and password with top level privileges and logged into that section.
(Imagine someone getting hold of your car keys. No matter how good your keys are they still get in and do what they like with it.) They also look like a normal admin user.
This is the first time in 10 years that we have encountered this issue.
Forum users are administered within the admin section of this site.
The server hosts the site and has its own security and this wasn't compromised.
As for encrypted passwords, there are pros and cons for both approaches. Even some large email providers don't encrypt passwords. It's always good practice not to use the same password across sites.
How do you account for the experience of at least one user of the site that spam to his address appeared to stop once you had been aware that the site had been compromised.
Once we were aware that the site had been compromised we changed admin login details. So I don't know why this user's spam would appear to stop suddenly as this seems to be unrelated.
We have increased the security of access on the site's admin.
However, if someone still gets hold of the new usernames and passwords to this site, they will still get in, just like if anyone got hold of your bank card and pin they could raid your account.
----------------------------------
Stephen Khoo
www.khoosys.net
|
Steven - Thankyou for a proper explanation.
It would probably have been better to offer a full explanation in the first instance rather than the 'spun' version. There are enough technically aware people on this site who would have expected a technically credible response.
p
|
I'd like to think it was the hand of Eastern Europe's get rich quick brigade but myself, I suspect the involvement of GCHQ, looking to serve it's masters and weed out those of us who have made it clear we are not happy with fuel duty rates or car taxes in general.
See you all downstairs in room 107, the MI5 building.
|
Just had another one in from Cahoot
MD
|
>>Just had another one in from Cahoot
Same here.
Clk Sec
|
>>Just had another one in from Cahoot
same here
Ted
|
>>Just had another one in from Cahoot
same here
And me. But it would never have occurred to me to blame this site.
I get all sorts of spam, seldom offensive, usually commercial, usually signalled by my browser (Firefox).
I don't blame this site and I don't feel threatened. I blame Cahoot, but you can see its point sort of. It's a capitalist virtual universe after all, no?
|
>> >>Just had another one in from Cahoot
But it would never have occurred to me to blame this site.
Same here.
|
|
|
|
If someone got a list from here and sold it then we'd all get the same emails. I don't think we do. If you've ever given your email details (and others) to a site and said it's okay for them and their "partner sites" to contact you... there's the likely cause. That's how that new mobile phone directory got their 15 million numbers.
The time I got most junk emails (and calls) was when using a car insurance comparison website looking for insurance for my step-son. Two years later I still get insurance emails close to the renewal date!
|
With respect Rob, I think we are quite sure that the email addresses have been harvested from this site. The emails I received which prompted the original question were from one shot addresses, only used to register with this site.
Thats not to say that some people are not also reciving spam for other reasons. Goodness knows there are enough spammers out there
Edited by Dynamic Dave on 26/06/2009 at 00:49
|
Which leaves me wondering why I have not seen the spam. Maybe where the email address is hosted has good spam filters at their end ;-)
I'm not defending the site BTW. Just trying to stop some people panicking. But if anyone uses this email address and same password on an important site then do worry and change the password on that site.
Thankfully sites like banks are pretty secure. I cannot log on to my account and transfer/pay anything without the special card reader and my card and my PIN - and the username/password before this enhancement was provided. For another bank online you can login and pay those you have before but not pay anyone new etc. without your bank card, a reader and your PIN.
A more worrying example of breached security is the use of key loggers on public PCs (e.g. libraries) where I know bank accounts details have been known to be collected and used.
|
|
Changed email address and password (to a unique password) and now have very amateurish spam from "Cahoot", on my alternate email address. Seems not all is well yet!!!!! Or its just a coincidence.
Edited by nortones2 on 25/06/2009 at 22:12
|
Or its just a coincidence.
If you are saying the spam was sent to an email address that has nothing to do with you accessing this site.... yes it proves a lot of this could be coincidence.
|
|
The email address, used from 23 June was different from my previous address. I changed my password at the same time. I've changed the password again. IIRC, the previous junk re "banks" was to the original address.
|
If you are saying the spam was sent to an email address that has nothing to do with you accessing this site.... yes it proves a lot of this could be coincidence. >>
I read it the other to mean the opposite - that he had registered a new email address for accessing HJ.co.uk and that has now got a cahoot spam email. If so, it is worrying as it would indicate that the new address has been harvested from HJ.co.uk
I shall register a new complex email address on this site tomorrow and see what happens.
|
I trust that is a good idea jbif and do keep us (Especially me) posted. I've received no spam like this yet. My new computer as of this week has not even been setup with a junk mail filter so any spam would be seen.
If the other poster is saying a new email registered on here recently got spam then that is "interesting" to say the least.
|
I trust that is a good idea jbif and do keep us (Especially me) posted. >>
I have now registered a new email address, with a service which is good enough to warn me that the authentication email from the Webmaster@hj may be forged!
"Warning: This message may be forged. The return path (a p a c h e @ webs .honestjohn .co .uk) does not match the from address. " [note: - spaces added by me in the address]
|
|
As I`ve said before though - how can the interests of inactive/unaware members be safeguarded? It seems that with passwords and email addresses out in the public domain anyone who does not change their password could be spoofed.
If I had left the Forum a while back, I would be pretty unhappy if someone took over my nick and started to post. Even more so if the possibility was known about.
Unlikely? perhaps - but possible and no one would know.
Doesn`t that also drive a coach and horses through the conditions we all agree to when signing up?
All the best in sorting it anyway.
|
|
I'm one of the lucky ones. From what I've read on here, nobody would want to be me !
|
"It's always good practice not to use the same password across sites."
Very much so. Imaging if people were to join some site which would ask for their email address and a password as part of the registration process.
If the website visitor then used the same password for the site that they used for the email address that they also used to register, then the site owner has got a list of usernames, passwords and email addresses and he could easily try logging onto yahoo, hotmail and other webmails with the passwords used to register with the site and many of them are bound to get you into the email account to hijack it as people use the same password for everything.
If you do have trouble remembering different passwords, at least use a different one for you email account to any other site you register with.
|
Very much so. Imaging if people were to join some site which would ask for their email address and a password as part of the registration process. >>
I know someone who uses the same password [easily guessed too] for everything, including when confirming ID over the phone! That is despite my trying the utmost to convince them of the dangers of doing so.
Edited by jbif on 25/06/2009 at 22:47
|
|
I changed my password after the incident, but now understand they are still not encrypted. It seems a waste of time changing them until the site encrypts a new password at the point of submission.
|
I tried creating an HJ account using the trick mentioned by another poster of adding '+X' on the end of the first part of my Gmail email address eg. focus+hj@gmail.com. I tried sending an email to this address from my work email and it got through to my Gmail account ok.
However, the registration process wouldn't accept the address, saying it was in the wrong form - presumably it doesn't like the '+'. Is it valid for it to do that ie. is '+' technically an invalid character in an email address?
|
|
BTW I also noticed that creating an account also involves deciding whether to tick or not an 'accept promotional material' tickbox. Who sends the material?
|
also noticed that creating an account also involves deciding whether to tick or not an 'accept promotional material' tickbox. Who sends the material?
Telegraph maybe? I do get unwanted emails from them and this site is an obvious one where they got my email address from - well there's an obvious link. But in this instance I don't mind.
|
Looks like they've got hold of my email details as they've attacked my email.
In retaliation I'm deleting my email account and a nuke is on it's way to the perps.
|
|
Cahoot phishing email received today. I have no Cahoot account. This is only the second phishing email I've ever had - the first was the PayPal one just the other day. It was, as has been said, very amateurish, fortunately. Hopefully most would see through it. I, like everyone, else am not happy....my password is unique to this site but it's still disconcerting.
|
ive changed my password and email address on here this week and as of now the new address reports no spam
|
Oh that would be this site. If you do it the proper way, we have to have your permission to email you. Spammers aren't that polite.
----------------------------------
Stephen Khoo
www.khoosys.net
|
Spookily, I just did the same "add a +" thing a moment ago before I saw your message, Focus, and it worked just fine for me.
Maybe it's been fixed to accept the + now.
|
Maybe it's been fixed to accept the + now.
Still doesn't work for me: 'your email address is not in the correct form' :-(
|
"Still doesn't work for me: 'your email address is not in the correct form' :-("
Ah hang on - you are creating a new account - I just modified my existing one.
|
"Still doesn't work for me: 'your email address is not in the correct form' :-(" Ah hang on - you are creating a new account - I just modified my existing one.
interesting...
|
I changed my password after the incident but now understand they are still not encrypted. It seems a waste of time changing them until the site encrypts a new password at the point of submission.
The admin site passwords have been changed, along with various other changes as well. Even I find it difficult logging in to it.
Without going into detail, I find it more difficult logging into HJ admin now than I do my on-line banking account. Also if any of us make 3 failed attempts in a row we're then locked out. We then have to email Stephen to have our access reset.
DD.
Edited by Dynamic Dave on 26/06/2009 at 00:58
|
DD is not wrong about logging into to the admin side of things. Nearly impossible anyone and I have a login too. And all failed attempts alerted on. I usually take 1-2 attempts because it's too secure.
You now need a username and password before you can use you own username and password plus .... you get the message.
|
I find it difficult logging in to it.
Yes, it's such a pain that even I don't log in that often now.
----------------------------------
Stephen Khoo
www.khoosys.net
|
Yes it's such a pain that even I don't log in that often now.
... and others may start to do likewise :-(
|
... and others may start to do likewise :-(
There is no change to your login. What I meant was the site administration login which you don't have access to. That area has a completely separate login method.
----------------------------------
Stephen Khoo
www.khoosys.net
|
Sorry, but it seems to me the entire password discussion is irrelevant to the spam issue.
The spammers don't need the password to spam you, they just need a list of addresses.
Changing your password won't affect the amount of spam you get.
Your password on this site, so long as it is different to your email account password won't compromise your email security.
As far as I know......
|
the entire password discussion is irrelevant to the spam issue
Yes you are correct of course. I elaborated on this in my earlier post. However, as we do know that we have had an intruder into the site admin who may have recorded passwords it is really only a precautionary note.
----------------------------------
Stephen Khoo
www.khoosys.net
|
That was going to be my take on the matter too!
Don't the majority of us accept that a small degree of 'spamming' goes with the territory when using this medium and just put up with it? I too received a Cahoot email today/yesterday/whenever, but (in the same way that I deal with all other spam intrusions) I checked it and deleted it without ever opening it ? much in the same way that I don't answer mobile calls if they don't have a recognizable name/number displayed.
You guys (Mods/Bouncers, etc.) seem completely on the case regarding the day-to-day running & security of this site so I no problem whatsoever about visiting. Could be posting a fair deal more today as the sun appears to have gone all shy over MK...
|
|
|
|
|
|
>>Steven - Thankyou for a proper explanation.
>>It would probably have been better to offer a full explanation in the first instance rather than the 'spun' version. There are enough technically aware people on this site who would have expected a technically credible response.
--------
Thank you for your kind words.
A couple of things. Firstly, I have only just come back from hols. A good greeting back eh? ;-)
The other thing is that not everyone likes techy talk and need it in much simpler words. Techy people don't mind this kind of stuff; in fact they prefer it. Other people would wonder what on earth we were going on about.
For example, there is already some confusion in forum readers between your forum login and the site administration login; the site being compromised and the hosting server being compromised.
I will take a bit more time to look into this phishing thing, but already I can see that the consensus here has jumped to the conclusion that this was the methodology:
site hack => emails stolen => emails used by phishers
There are a few issues already with this. The logs - and I will check them from that time more fully, show that the intruder viewed very few pages of members. They weren't interested basically. So we know they didn't pull all the names of forum users. If I were to spend more time my hunch is that those complaining about being phished weren't even on those pages. There are literally thousands of members and maybe they saw around 50. They would then have had to key in those email addresses too and I think they would want an easier way than that. This should put it all in perspective.
If I were a phisher I wouldn't do it like that as there are easier ways. Of course as this is an open forum I am not going to say any more until I have discussed with the mods and site owners. Too much information can also be a dangerous thing - not because I don't trust you, but that this is an open forum.
It's worth pointing out the above assumption that it "is all linked to the hack" is looking to be incorrect. It may well be that asking you all to change your passwords and so on is a red herring, but it is a good precautionary note anyway.
----------------------------------
Stephen Khoo
www.khoosys.net
Edited by Stephen on 26/06/2009 at 10:25
|
My dollars still on the government snooping around this site. Only 50 addresses.....
One will be mine but who where the other 49 ?
|
|
|
There are literally thousands of members and maybe they saw around 50.
It's worth pointing out the above assumption that it "is all linked to the hack" is looking to be incorrect. >>
I suggest you do not rush in to making unsupported statements.
Well I can tell you quite categorically that I am one of those 50, and it is certainly linked to some hack or other of the HJ site. Only you can know what it is or was or maybe there is another hack that you are still not aware of [since nortones2 claims above to have received spam at his new email too!]
In common with a few others [who said so in the previous thread which is now locked
www.honestjohn.co.uk/forum/post/index.htm?v=e&t=76...9 ]
the email address that I use for this site is absolutely NOT known to anyone else apart from the HJ admin.
|
|
|
|
|
|
|
