bogleheads.org attacked - some accounts hijacked

Discussions about the forum and contents

Re: CAPTCHA ?

Postby JPH » Fri May 18, 2012 6:14 pm

sscritic wrote:
JPH wrote:
nisiprius wrote:I don't think the bad guys are clever enough to do site-specific password guessing, but I would suggest that people avoid passwords that have any relationship to the name of our mentor.

nisiprius, I made this mistake, and my account was hijacked.

Wow! Who would have guessed that the bad guys would try nisiprius as a common password. That is the mentor of whom you speak, right?



Well, in a way, yes, I suppose so! :sharebeer To nisiprius.
User avatar
JPH
 
Posts: 268
Joined: Mon Jun 27, 2011 9:56 pm

Re: CAPTCHA ?

Postby Default User BR » Fri May 18, 2012 6:52 pm

JPH wrote:nisiprius, I made this mistake, and my account was hijacked.

What did they do with your account? What was the process to regain control?


Brian
Default User BR
 
Posts: 7503
Joined: Mon Dec 17, 2007 8:32 pm

Re: bogleheads.org under attack - may cause login problems

Postby DRiP Guy » Fri May 18, 2012 7:00 pm

I also want to take a moment as others have done, and thank forum admin for both taking the threat seriously, and also informing us of what was going on so we can be proactive.

I'm betting this will cause a lot of us to audit our other passwords, as well as the one used here. So, unlike the original attack (GGGRRRRRR to the scumbags out there), at least the extra vigilance this should inspire in users will serve a useful purpose; as Martha Stewart might say "It's a good thing."
User avatar
DRiP Guy
 
Posts: 2237
Joined: Tue Feb 20, 2007 5:54 pm

Re: bogleheads.org under attack - may cause login problems

Postby Easy Rhino » Fri May 18, 2012 7:31 pm

It's probably the high-fee fund industry attacking... BOGLEHEADS, TO THE BARRICADES! :annoyed

But seriously I hadn't noticed this topic, but I HAD noticed that I had to log in using a captcha out of the blue a few days ago, so I guess this explains it.
Easy Rhino
 
Posts: 2772
Joined: Sun Aug 05, 2007 12:13 pm
Location: San Diego

Hijacked Boglehead account

Postby JPH » Fri May 18, 2012 8:47 pm

Default User BR wrote:
JPH wrote:nisiprius, I made this mistake, and my account was hijacked.

What did they do with your account? What was the process to regain control?


Brian

I don't know that they did anything. Maybe they edited my old posts so they make more sense. :happy The administrators corrected the problen by providing a new temporary password, which I changed on first login. I am now using a much stronger password. Thank you to Alex and Tashina.
User avatar
JPH
 
Posts: 268
Joined: Mon Jun 27, 2011 9:56 pm

Re: bogleheads.org under attack - may cause login problems

Postby Petrocelli » Fri May 18, 2012 8:54 pm

I just realized that some idiot hacked my account and authored posts on Dan Wiener, actively managed stocks, and even a long thread on a $5,000 watch! :shock:

I apologize to the forum for this disruption. See you all at Bogleheads 10!
Petrocelli (not the real Rico, but just a fan)
User avatar
Petrocelli
 
Posts: 2188
Joined: Mon Feb 19, 2007 7:29 pm
Location: Fenway Park, between 2nd and 3rd base

Re: bogleheads.org under attack - may cause login problems

Postby petrico » Fri May 18, 2012 9:38 pm

Petrocelli wrote:I just realized that some idiot hacked my account and authored posts on Dan Wiener, actively managed stocks, and even a long thread on a $5,000 watch! :shock:

The arrogance.
User avatar
petrico
 
Posts: 2183
Joined: Sat Apr 07, 2007 5:29 pm

Re: bogleheads.org under attack - may cause login problems

Postby rustymutt » Fri May 18, 2012 9:50 pm

Alex, can you capture his IP and turn it in to his provider. Plenty of software out there to do this.
At the Very Least, Work Hard, Do Your Best, Know the Truth and the Facts and Always Be Honest!
User avatar
rustymutt
 
Posts: 2760
Joined: Sat Mar 07, 2009 1:03 pm

Re: bogleheads.org under attack - may cause login problems

Postby xerty24 » Fri May 18, 2012 10:03 pm

rustymutt wrote:Alex, can you capture his IP and turn it in to his provider. Plenty of software out there to do this.

There are plenty of IPs out there too. If you're at all careful, things can't get traced back in a useful way.
No excuses, no regrets.
xerty24
 
Posts: 4830
Joined: Tue May 15, 2007 4:43 pm

Re: bogleheads.org under attack - may cause login problems

Postby Mel Lindauer » Fri May 18, 2012 10:09 pm

Petrocelli wrote:I just realized that some idiot hacked my account and authored posts on Dan Wiener, actively managed stocks, and even a long thread on a $5,000 watch! :shock:

I apologize to the forum for this disruption. See you all at Bogleheads 10!


See, you stay away for a while and you're totally out of the loop, Petro. Actually, Bogleheads 10 was LAST YEAR, and, believe it or not, this year's event is called Bogleheads 11. (We're a creative bunch, aren't we? :D )
Best Regards - Mel | | Semper Fi
User avatar
Mel Lindauer
Moderator
 
Posts: 22018
Joined: Mon Feb 19, 2007 9:49 pm
Location: Daytona Beach Shores, Florida

update

Postby Alex Frakt » Sat May 19, 2012 2:06 am

Default User BR wrote:
JPH wrote:nisiprius, I made this mistake, and my account was hijacked.

What did they do with your account? What was the process to regain control?

It's not a they, it's one apparently mentally ill person who has made it his great quest to inform everyone of the imagined evils of Larry Swedroe, Mel and myself. We have previously discussed him on this thread: http://www.bogleheads.org/forum/viewtopic.php?t=82238.

We have gotten fairly good at sniffing him out when he signs up, so he switched to this attack on our forum in an attempt to hijack existing member's accounts from which to launch his protests. We now know he successfully hijacked at least three accounts. In JPH's case, he didn't do anything with the account other than attempt to change the e-mail address. He either was holding it in reserve or made a typo in the e-mail address, because he never activated the account after the change. By restoring JPH's original e-mail address and forcing a new password, we were able to get it back.

Two other members were not so lucky and their accounts were used to send dozens of PMs complaining of his ill treatment and "warning" people about the conspiracy he imagines Larry, Mel and I have cooked up. These accounts have been recovered. We don't know if anyone else has been hijacked, so once again I urge you to change your password if you are using one of the weak passwords mentioned in the first post on this thread.

rustymutt wrote:Alex, can you capture his IP and turn it in to his provider. Plenty of software out there to do this.

He's arguably insane, but he's unarguably very smart. I've contacted his original ISP and they won't do anything unless compelled by a court or law enforcement order. He now connects through anonymizing servers so there is no way to block or track him. He also always uses temporary e-mail services when he signs up for an account. His hack attempts are illegal and law enforcement could get him easily enough based on the information in our logs, but it appears that since we can't prove sufficient monetary damages, the cops aren't interested in doing more than taking a report. BTW, if anyone out there has some pull with a computer crimes law enforcement entity who might be interested in pursuing this, please let me know via PM. Our servers are in New York and the attacker appears to be based in New York if that makes a difference, but we obviously have readers everywhere.
Alex Frakt
Founder
 
Posts: 9402
Joined: Fri Feb 23, 2007 2:06 pm
Location: Chicago

Re: CAPTCHA ?

Postby SSSS » Sat May 19, 2012 2:14 am

Alex Frakt wrote:It's not a they, it's one apparently mentally ill person who has made it his great quest to inform everyone of the imagined evils of Larry Swedroe, Mel and myself.


The "deceitful fraudster" guy? I got a PM last week that was seriously confusing because it came from an apparently legitimate account (Nowizard). Now it makes a little more sense.
User avatar
SSSS
 
Posts: 1866
Joined: Fri Jun 18, 2010 12:50 pm

Re: update

Postby Mudpuppy » Sat May 19, 2012 2:24 am

Alex Frakt wrote:
rustymutt wrote:Alex, can you capture his IP and turn it in to his provider. Plenty of software out there to do this.

He's arguably insane, but he's unarguably very smart. I've contacted his original ISP and they won't do anything unless compelled by a court or law enforcement order. He now connects through anonymizing servers so there is no way to block or track him. He also always uses temporary e-mail services when he signs up for an account. His hack attempts are illegal and law enforcement could get him easily enough based on the information in our logs, but it appears that since we can't prove sufficient monetary damages, the cops aren't interested in doing more than taking a report. BTW, if anyone out there has some pull with a computer crimes law enforcement entity who might be interested in pursuing this, please let me know via PM. Our servers are in New York and the attacker appears to be based in New York if that makes a difference, but we obviously have readers everywhere.

This sort of behavior is unfortunately so common that it is a very low priority for law enforcement. You could try civil court over the matter and perhaps a judge would be willing to grant a legal order forbidding him from making contact with the forum. But getting a civil court to reveal identity from ISP records can be a bit tedious (if not impossible) unless you have the weight of major industry like MPAA or RIAA. Getting a court order will get you more clout with law enforcement because breaking a legal order is more serious than harassment (unless that harassment is likely to cause immediate danger to life and limb, which is not the case here). But getting the court order in the first place is the problem.

Short of that, it becomes a game of whack-a-mole. If you had a bored developer with time on his/her hands, you could build a honeypot for him to spin his wheels in (e.g. redirect his username on login to a fake site where none of his actions actually propagate to the real site), but that seems almost as much hassle as court proceedings.
Mudpuppy
 
Posts: 2595
Joined: Sat Aug 27, 2011 3:26 am
Location: Sunny California

Re: CAPTCHA ?

Postby Alex Frakt » Sat May 19, 2012 2:27 am

SSSS wrote:
Alex Frakt wrote:It's not a they, it's one apparently mentally ill person who has made it his great quest to inform everyone of the imagined evils of Larry Swedroe, Mel and myself.


The "deceitful fraudster" guy? I got a PM last week that was seriously confusing because it came from an apparently legitimate account (Nowizard). Now it makes a little more sense.

That's the one.

BTW, if anyone gets a strange or apparently out of character PM (in addition to obvious violations like spam), please click the report button (triangle with an exclamation point) on the message to let us know.
Alex Frakt
Founder
 
Posts: 9402
Joined: Fri Feb 23, 2007 2:06 pm
Location: Chicago

Re: update

Postby Alex Frakt » Sat May 19, 2012 2:31 am

Mudpuppy wrote:This sort of behavior is unfortunately so common that it is a very low priority for law enforcement. You could try civil court over the matter and perhaps a judge would be willing to grant a legal order forbidding him from making contact with the forum. But getting a civil court to reveal identity from ISP records can be a bit tedious (if not impossible) unless you have the weight of major industry like MPAA or RIAA. Getting a court order will get you more clout with law enforcement because breaking a legal order is more serious than harassment (unless that harassment is likely to cause immediate danger to life and limb, which is not the case here). But getting the court order in the first place is the problem.

Short of that, it becomes a game of whack-a-mole. If you had a bored developer with time on his/her hands, you could build a honeypot for him to spin his wheels in (e.g. redirect his username on login to a fake site where none of his actions actually propagate to the real site), but that seems almost as much hassle as court proceedings.

That's pretty much our sysadmin's (Larry Auton) take on it. It's frustrating though.
Alex Frakt
Founder
 
Posts: 9402
Joined: Fri Feb 23, 2007 2:06 pm
Location: Chicago

Re: update

Postby Default User BR » Sat May 19, 2012 11:30 am

Alex Frakt wrote:It's not a they, it's one apparently mentally ill person who has made it his great quest to inform everyone of the imagined evils of Larry Swedroe, Mel and myself.

Oh, that guy. Yeah.


Brian
Default User BR
 
Posts: 7503
Joined: Mon Dec 17, 2007 8:32 pm

Re: CAPTCHA ?

Postby LazyNihilist » Sat May 19, 2012 12:46 pm

SSSS wrote:
Alex Frakt wrote:It's not a they, it's one apparently mentally ill person who has made it his great quest to inform everyone of the imagined evils of Larry Swedroe, Mel and myself.


The "deceitful fraudster" guy? I got a PM last week that was seriously confusing because it came from an apparently legitimate account (Nowizard). Now it makes a little more sense.


The same thing happened to me. Got a PM from what looked like a legitimate account (Nowizard) probably hacked. And going on about wild conspiracy theories.
The only problem is Entropy, leading to the eventual heat death of the universe. [Seen on /.]
User avatar
LazyNihilist
 
Posts: 710
Joined: Sat Feb 19, 2011 10:56 pm
Location: 5.82% (xirr)

Re: bogleheads.org under attack - may cause login problems

Postby DavidC » Sat May 19, 2012 3:56 pm

I just wanted to thank the admins for the work they perform to keep this forum and wiki running on their spare time/dime. And since no one linked them yet for giggles I link to 2 additional XKCD cartoons discussing CAPTCHAS:
There is nothing that demonstrates the inherent strangeness of this forum better than that US government savings bonds... are the sexiest, trendiest possible investment on this site. - momar
DavidC
 
Posts: 165
Joined: Tue Sep 06, 2011 9:06 pm

Re: bogleheads.org under attack - may cause login problems

Postby gabylon » Sat May 19, 2012 6:19 pm

Has it ever been considered to implement login via a secure connection?
gabylon
 
Posts: 372
Joined: Thu Dec 31, 2009 2:54 pm

Re: bogleheads.org under attack - may cause login problems

Postby Alex Frakt » Sat May 19, 2012 6:54 pm

gabylon wrote:Has it ever been considered to implement login via a secure connection?

The short answer is that it has been considered and rejected. It's discussed in greater depth here: http://www.bogleheads.org/forum/viewtopic.php?t=85181. It would not have helped with this issue.
Alex Frakt
Founder
 
Posts: 9402
Joined: Fri Feb 23, 2007 2:06 pm
Location: Chicago

Re: bogleheads.org under attack - may cause login problems

Postby pkcrafter » Sat May 19, 2012 10:17 pm

Geez Alex, I always thought vulgar language was verboten on the forum, and I'm dismayed to see it is not.

Paul
When times are good, investors tend to forget about risk and focus on opportunity. When times are bad, investors tend to forget about opportunity and focus on risk.
pkcrafter
 
Posts: 8072
Joined: Sun Mar 04, 2007 1:19 pm
Location: CA

Re: update

Postby Random Musings » Mon May 21, 2012 2:26 pm

Mudpuppy wrote:This sort of behavior is unfortunately so common that it is a very low priority for law enforcement. You could try civil court over the matter and perhaps a judge would be willing to grant a legal order forbidding him from making contact with the forum.


Perhaps we could have the courts require him to only use high expense ratio variable annuities with 12-b-1 fees. Of course, advisor recommended with a 2% wrap fee payable to this site.

Hate to be frank, but couldn't this person be doing something more productive? like getting laid Nah, probably not.

RM
User avatar
Random Musings
 
Posts: 5035
Joined: Thu Feb 22, 2007 5:24 pm
Location: Pennsylvania

Re: bogleheads.org under attack - may cause login problems

Postby zaplunken » Mon May 28, 2012 3:39 pm

someone has written a program that runs through the member list and attempts to login to each users account by entering random passwords. In anticipation of such attacks, our software only allows a small number of missed passwords before taking steps to lock out the attacker.


They can't be very successful at this, my password is shall we say pretty easy to guess. I use it at many sites that I view as having nothing to loose if hacked but I have different user names so they couldn't connect that password with any other user name at another site.

I see no reason to be concerned if they got my password, why should I? What could they possibly do with it? Post something that gets me banned would be the worst thing. All places that I would be worried about this I have extremely long and complex passwords, no one is ever going to guess them. As far as email, the address I use here is a throwaway, no address book, I don't use it to communicate with anyone but the site.

This is a PITA for the mods no doubts, my reason for posting is to challenge the forum to point out what I may have overlooked by being so cavalier and to tell others if they did what I have done there shouldn't be any concern. That said, maybe I'm wrong?.
User avatar
zaplunken
 
Posts: 702
Joined: Tue Jul 01, 2008 10:07 am

Re: bogleheads.org under attack - may cause login problems

Postby Call_Me_Op » Mon May 28, 2012 3:42 pm

Two things confuse me about this.

1.) If they want access to the site, why not just sign-up? It's simple and free.

2.) If they gain access to the site, what are they going to do - attempt to solicit financial advice?

Update: I understand now, after reading Alex's response above.
Best regards, -Op | | "In the middle of difficulty lies opportunity." Einstein
Call_Me_Op
 
Posts: 4643
Joined: Mon Sep 07, 2009 3:57 pm
Location: Milky Way

Re: bogleheads.org under attack - may cause login problems

Postby HueyLD » Tue May 29, 2012 9:37 am

I was asked to enter CAPTCHA characters when I tried to login yesterday. In addition, I could not even access BH.org from home network for a few weeks until yesterday.

So, do I need to change my password? Anything else I need to do?
User avatar
HueyLD
 
Posts: 3321
Joined: Mon Jan 14, 2008 11:30 am

Re: bogleheads.org under attack - may cause login problems

Postby LadyGeek » Thu May 31, 2012 7:33 pm

If you have questions about the security of your password for any reason, just change it for peace of mind. This applies to any website you visit. As long as you can login to the site, there's nothing more to do.
To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
LadyGeek
Site Admin
 
Posts: 18583
Joined: Sat Dec 20, 2008 6:34 pm
Location: Philadelphia

Re: bogleheads.org under attack - may cause login problems

Postby umfundi » Sat Jun 02, 2012 5:50 pm

nisiprius wrote:
Pacific wrote:
Password
Really??
Really. Probably a common reaction of users to being told "type password." I think it's usually cluelessness plain and simple, not misplaced cleverness.

When I used Lotus Notes as a corporate mail system, my password was "password". You couldn't get to mail without logging in as yourself (with an enforced strong password), and I was perpetually having to give the mail password to system administrators for some reason or another. Having that password required was pointless and useless.

Reminds me of the old days, when the example in the manual for networking Sun workstations had the machines name Larry, Moe, and Curly. Guess what were the most popular hostnames for workstations?

Keith
Déjà Vu is not a prediction
umfundi
 
Posts: 3361
Joined: Tue Jun 07, 2011 6:26 pm

Re: bogleheads.org under attack - may cause login problems

Postby retiredjg » Sat Jun 02, 2012 7:07 pm

umfundi wrote:When I used Lotus Notes as a corporate mail system....

My sympathies. I had the same experience. What a cluster.
retiredjg
 
Posts: 17460
Joined: Thu Jan 10, 2008 1:56 pm

Re: bogleheads.org under attack - may cause login problems

Postby umfundi » Sat Jun 02, 2012 7:13 pm

retiredjg wrote:
umfundi wrote:When I used Lotus Notes as a corporate mail system....

My sympathies. I had the same experience. What a cluster.

As I used to explain to my employees: "The purpose of L**** N**** is to lower your expectations." :P

Keith
Déjà Vu is not a prediction
umfundi
 
Posts: 3361
Joined: Tue Jun 07, 2011 6:26 pm

Re: bogleheads.org attacked - some accounts hijacked

Postby Nowizard » Thu Jun 07, 2012 10:54 am

Mine was one of the accounts that was hacked, and I did have an easily discernible password (stocks). Not being nefarious, I never considered someone using my account and had no reason (until now) to even think about privacy since I would only be posting courteously. I have not seen any responses attributed to me, but appreciate the moderator restoring my privileges. A more subtle password is in place. If anyone received an offensive message "from" Nowizard, I did not send it and am sorry for the inconvenience.

Tim
Nowizard
 
Posts: 490
Joined: Tue Oct 23, 2007 6:33 pm

Re: bogleheads.org attacked - some accounts hijacked

Postby SSSS » Thu Jun 07, 2012 1:33 pm

Nowizard wrote:I have not seen any responses attributed to me, but appreciate the moderator restoring my privileges. A more subtle password is in place. If anyone received an offensive message "from" Nowizard, I did not send it and am sorry for the inconvenience.


I got a PM a few weeks ago. I was really perplexed about what Larry Swedroe had done to piss you off so bad in such a short span of time. :twisted:
User avatar
SSSS
 
Posts: 1866
Joined: Fri Jun 18, 2010 12:50 pm

Re: bogleheads.org attacked - some accounts hijacked

Postby LadyGeek » Thu Jun 07, 2012 3:52 pm

We just implemented a new feature in the forum software to help select a good password: Forum Software Updated: Show Password Strength
To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
LadyGeek
Site Admin
 
Posts: 18583
Joined: Sat Dec 20, 2008 6:34 pm
Location: Philadelphia

Re: bogleheads.org attacked - some accounts hijacked

Postby Random Musings » Fri Jun 08, 2012 10:27 am

LadyGeek wrote:We just implemented a new feature in the forum software to help select a good password: Forum Software Updated: Show Password Strength


Thanks for the update.

RM
User avatar
Random Musings
 
Posts: 5035
Joined: Thu Feb 22, 2007 5:24 pm
Location: Pennsylvania

Re: bogleheads.org attacked - some accounts hijacked

Postby Alex Frakt » Tue Jun 12, 2012 2:36 pm

The troll is still at it. Even though we are taking measures to prevent the ongoing password attacks from breaching accounts, he was able to determine the password of multiple accounts in the initial attack and has apparently decided to use them up one at a time when something here upsets him. Within the last two days he made several posts using the hijacked account of member WTR3RD and sent several Private Messages using the hijacked account of member nevisbound.

As always, you can help us out by reporting suspicious PMs or posts. Note that many of the accounts he was able to get into are older ones that have had little or no activity lately. If you see a torrent of posts or are contacted by someone who's last post was from months or years ago, you should be suspicious.

A note on passwords. The type of attack the troll is running is very simple. It attempts to log in by plugging in a username and running through a list of likely passwords. We block this after a small number of attempts, so any password that follows the guidelines found in my original post on this thread are safe. The new password strength indicator is based on foiling an attack where the hashed (which more or less means encrypted) password database is compromised. This is what recently occurred on linkedin. That has not happened here. IMO, the really complex passwords needed to get a Strong rating from the password checker are overkill for a site like this.
Alex Frakt
Founder
 
Posts: 9402
Joined: Fri Feb 23, 2007 2:06 pm
Location: Chicago

Re: bogleheads.org attacked - some accounts hijacked

Postby LadyGeek » Tue Jun 12, 2012 4:34 pm

OTOH, we can't predict the future. A rating of "Good" is the minimum, but try to turn the indicator to green ("Strong").

For detailed password discussions see: Forum Software Updated: Show Password Strength and Another reason why you should never reuse passwords...
To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
LadyGeek
Site Admin
 
Posts: 18583
Joined: Sat Dec 20, 2008 6:34 pm
Location: Philadelphia

Re: bogleheads.org attacked - some accounts hijacked

Postby Epsilon Delta » Tue Jun 12, 2012 5:51 pm

LadyGeek wrote:OTOH, we can't predict the future. A rating of "Good" is the minimum, but try to turn the indicator to green ("Strong").

It thinks treecleanfilepigrederrorlawnpalaceflagminus is weak, so take it with a grain of salt.
User avatar
Epsilon Delta
 
Posts: 3389
Joined: Thu Apr 28, 2011 8:00 pm

Re: bogleheads.org attacked - some accounts hijacked

Postby Mel Lindauer » Tue Jun 12, 2012 6:34 pm

Epsilon Delta wrote:
LadyGeek wrote:OTOH, we can't predict the future. A rating of "Good" is the minimum, but try to turn the indicator to green ("Strong").

It thinks treecleanfilepigrederrorlawnpalaceflagminus is weak, so take it with a grain of salt.


You need to use one or more numbers and/or characters and even a much shorter password will become stronger. Give it a try.
Best Regards - Mel | | Semper Fi
User avatar
Mel Lindauer
Moderator
 
Posts: 22018
Joined: Mon Feb 19, 2007 9:49 pm
Location: Daytona Beach Shores, Florida

Re: bogleheads.org attacked - some accounts hijacked

Postby Alex Frakt » Tue Jun 12, 2012 6:47 pm

Epsilon Delta wrote:
LadyGeek wrote:OTOH, we can't predict the future. A rating of "Good" is the minimum, but try to turn the indicator to green ("Strong").

It thinks treecleanfilepigrederrorlawnpalaceflagminus is weak, so take it with a grain of salt.

Exactly. Time for the obligatory xkcd comic.
http://xkcd.com/936/
Image
Alex Frakt
Founder
 
Posts: 9402
Joined: Fri Feb 23, 2007 2:06 pm
Location: Chicago

Re: bogleheads.org attacked - some accounts hijacked

Postby dratkinson » Tue Jun 12, 2012 8:13 pm

Just a data point.

Was required to login today. First time in months. (Will need to wait a few days before I figure out if this is the new normal BH anti-intrusion login method.)

Fumble-fingered my password.

BH CAPTCHA image was not displayed on my Win98SE PC; it is on other sites. (Don't remember which. My problem, not board's. Will upgrade PC one day, just not today.)

"Forgot my password" option worked for me.

Took the opportunity to begin implementing my new password scheme based on linked GRC "haystack" concept. (Hope it works on all websites.)



I've changed my mind. I now would prefer logins be under HTTPS, not because it protects my BH password, but because it protects the haystack password scheme I plan to deploy on all websites. (Passwords need complexity, but simple minds need simple solutions. HTTPS hides the simple scheme.)
d.r.a, not dr.a.
User avatar
dratkinson
 
Posts: 2417
Joined: Thu Jul 26, 2007 7:23 pm
Location: Centennial CO

Re: bogleheads.org attacked - some accounts hijacked

Postby LadyGeek » Tue Jun 12, 2012 9:03 pm

dratkinson wrote:Took the opportunity to begin implementing my new password scheme based on linked GRC "haystack" concept. (Hope it works on all websites.)

I've changed my mind. I now would prefer logins be under HTTPS, not because it protects my BH password, but because it protects the haystack password scheme I plan to deploy on all websites. (Passwords need complexity, but simple minds need simple solutions. HTTPS hides the simple scheme.)

The haystack scheme will be fine as long as you don't tell anybody what it is. HTTPS will not protect you. See: https access to bogleheads.org?.
To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
LadyGeek
Site Admin
 
Posts: 18583
Joined: Sat Dec 20, 2008 6:34 pm
Location: Philadelphia

Re: bogleheads.org attacked - some accounts hijacked

Postby dratkinson » Wed Jun 13, 2012 5:42 pm

LadyGeek wrote:
dratkinson wrote:Took the opportunity to begin implementing my new password scheme based on linked GRC "haystack" concept. (Hope it works on all websites.)

I've changed my mind. I now would prefer logins be under HTTPS, not because it protects my BH password, but because it protects the haystack password scheme I plan to deploy on all websites. (Passwords need complexity, but simple minds need simple solutions. HTTPS hides the simple scheme.)

The haystack scheme will be fine as long as you don't tell anybody what it is. HTTPS will not protect you. See: https access to bogleheads.org?.


True, I was concerned about a clear air interception, but your linked topic reminded me that there are worse things to worry about... so, guess I'll try not to be too paranoid.



Second data point. Today, followed topic reply notification email link into BH without the need to re-login. So I'm happy.
d.r.a, not dr.a.
User avatar
dratkinson
 
Posts: 2417
Joined: Thu Jul 26, 2007 7:23 pm
Location: Centennial CO

Re: bogleheads.org attacked - some accounts hijacked

Postby vectorizer » Wed Jun 13, 2012 6:13 pm

Alex and LadyG., you guys are doing an exemplary job dealing with this attack. Thank you. I wish you didn't have to waste your time because of one deranged individual. And thanks for already having an important mitigation in place limiting the number of login attempts; the addition of mandatory CAPTCHA was a good and reasonable temporary control. Hopefully members with weak passwords will heed your advice and utilize the new password strength feature (since mine is only "good", I should change mine too). Thanks again.
User avatar
vectorizer
 
Posts: 299
Joined: Sat Mar 03, 2007 4:52 pm

Re: bogleheads.org attacked - some accounts hijacked

Postby gotherelate » Wed Jun 13, 2012 8:32 pm

Regarding suspicious private message (PM)s, I got two within the last week or so. In both cases, a note said that the sender deleted the message before I opened/read it. May that have been part of the attack? If so, should I report these in the future? Thanks.
-Grandpa | I'd rather see where I'm going than see where I've been.
User avatar
gotherelate
 
Posts: 831
Joined: Wed May 28, 2008 7:57 pm
Location: Texas

Re: bogleheads.org attacked - some accounts hijacked

Postby retiredjg » Wed Jun 13, 2012 8:40 pm

gotherelate wrote:Regarding suspicious private message (PM)s, I got two within the last week or so. In both cases, a note said that the sender deleted the message before I opened/read it. May that have been part of the attack? If so, should I report these in the future? Thanks.

I got one of these this morning. Thought it was pretty strange since I get messages from a couple of different types of groups and this person didn't fit either group. Should this be reported?
retiredjg
 
Posts: 17460
Joined: Thu Jan 10, 2008 1:56 pm

Re: bogleheads.org attacked - some accounts hijacked

Postby LadyGeek » Wed Jun 13, 2012 9:15 pm

gotherelate and retiredjg: Yes, thanks. No, but thanks for asking. PMs with no content have no information to report.

Unwelcome PMs of any type can be reported as described in this sticky: REPORTING VIOLATIONS AND UNWELCOME PMs

Update 6/15: Sorry, I misread the question. PMs with no content do not need to be reported (there's nothing to report). I modified my comments.
To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
LadyGeek
Site Admin
 
Posts: 18583
Joined: Sat Dec 20, 2008 6:34 pm
Location: Philadelphia

Re: bogleheads.org attacked - some accounts hijacked

Postby bdpb » Fri Jun 15, 2012 5:56 pm

Doesn't it require the hacker to know the login username before any hack attempts can be made?

Wouldn't a private login username different than the public displayed username virtually eliminate this problem?

The hacker would have to acquire the private username as well as hack the password.
bdpb
 
Posts: 1197
Joined: Wed Jun 06, 2007 4:14 pm

Re: bogleheads.org attacked - some accounts hijacked

Postby LadyGeek » Fri Jun 15, 2012 7:27 pm

For obvious reasons, no details other than what's been already stated will be discussed.
To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
LadyGeek
Site Admin
 
Posts: 18583
Joined: Sat Dec 20, 2008 6:34 pm
Location: Philadelphia

Re: bogleheads.org attacked - some accounts hijacked

Postby sscritic » Fri Jun 15, 2012 7:35 pm

LadyGeek wrote:gotherelate and retiredjg: Yes, thanks. No, but thanks for asking. PMs with no content have no information to report.

Unwelcome PMs of any type can be reported as described in this sticky: REPORTING VIOLATIONS AND UNWELCOME PMs

Update 6/15: Sorry, I misread the question. PMs with no content do not need to be reported (there's nothing to report). I modified my comments.

And the reason for the update I would guess is Alex's comment yesterday in the linked thread.
Alex Frakt wrote:I'm not sure who said to report retracted PMs, but I can't think of a reason why it would be necessary.


P.S. That's what's fun about having two threads on the same topic. They run in parallel, and if you run in only one, you can't keep up.
sscritic
 
Posts: 21863
Joined: Thu Sep 06, 2007 9:36 am

Re: bogleheads.org attacked - some accounts hijacked

Postby LadyGeek » Fri Jun 15, 2012 7:59 pm

It's from here. I fixed the problem by posting a correction in the thread.

P.S. It's also good to know that the members will keep you straight. Thanks.
To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
LadyGeek
Site Admin
 
Posts: 18583
Joined: Sat Dec 20, 2008 6:34 pm
Location: Philadelphia

Re: bogleheads.org attacked - some accounts hijacked

Postby Mel Lindauer » Thu Feb 14, 2013 2:21 pm

The forum is under attack. This explains what's going on.
Best Regards - Mel | | Semper Fi
User avatar
Mel Lindauer
Moderator
 
Posts: 22018
Joined: Mon Feb 19, 2007 9:49 pm
Location: Daytona Beach Shores, Florida

PreviousNext

Return to Forum Issues and Administration

Who is online

Users browsing this forum: No registered users and 1 guest