|
I didn't get any - yet. Why have I been left out?
|
|
I'm not sure how I would tell if I got them - I get about 100 spam emails a day to each of my accounts. Doesn't really bother me, Google gets rid of all of them for me.
|
I had one from Paypal as well.
Ted
|
|
are you sure you lot haven't been looking at some Frankie Vaughan?...;-)
|
|
|
I got one too and had a look at the html coding behind the message.
The address behind the "click here to get screwed" is "http:**//smpdarmapatria-bks.sch.id/en/" which doesn't look PayPally! (The two ** I put in to stop the URL from working)
The source of the message is ns0.triad.uk.com which is listed as owned by LondonLink Hostmaster whose address I have. I do love "nslookup" and "Whois"!
eProf
|
Two new ones overnight, both supposedly from Abbey.
Shame really as I don't usually get any Spam.
|
eProf, assuming someone somehow broke in to Admin, collected every Backroomer's e-mail, then sold them to phishing gangsters, what is the answer?
Surely there isn't one apart from closing down the Backroom, everyone getting a new e-mail address, and starting again.
HJ
Edited by Honestjohn on 22/06/2009 at 10:14
|
|
Clearly that's correct, HJ. We live in a wicked world of spammers & have to get over it. I suppose we just have to read between your lines a little to make out: "Er, sorry about that, guys."
|
|
|
eProf, assuming someone somehow broke in to Admin, collected every Backroomer's e-mail >>
1. The first question is: How much data did the hackers get? Did they also get the passwords? If so, it is not such a big problem for those of us who have a dedicated email address for this site and/or are security savvy enough to use unique passwords for every web site we sign on to. The threat is to those who use a common email address and/or use the same email account and password for all their online activities and/or have weak passwords. Hackers could then access those email accounts and gather even more sensitive information.
2. The second question for the site admin is how did the breach happen? Could it be that the discarded server hard drives have ended up somewhere they should not have?
If you think that is far-fetched, see news.bbc.co.uk/1/hi/wales/8036324.stm
3. Thirdly, what can/should site admin do now? IMO, all backroomers should be asked/advised to change their password first, and then gradually over the coming days/weeks should also set up a new email address to log on here.
Edited by jbif on 22/06/2009 at 11:02
|
|
|
|
|
|
|
Yep - a Cahoot and a Päypäl both yesterday. Why the umlauts were put on the Paypal one I have no idea ...
Maybe the originators are 70's heavy metal fans ? :-)
Yes, I've had them too :-(
|
jbif has made the best sense so far.
Obviously if Backroomers have used their main e-mail addresses to register then we can't ask them to change their e-mail addresses because this will involve turning their lives upside down.
We think this happened when the site got hacked. I have my suspicions about who was really behind it, but I can't prove anything so I'm not going to let on.
The admin is now double locked so it is unlikely it will get hacked again soon.
But obviously if a bunch of crooks has got hold of an e-mail address (which they could have done from anywhere) then they have it and that e-mail address will continue to get phishing e-mails and SPAM.
HJ
|
A useful tip if you have a Gmail account is that you own the first part of the email address. So, if mine was "david@gmail.com", the email address "david+anything@gmail.com" is also mine.
So, when you register anywhere, using, say, "david+honestjohn@gmail.com" will instantly identify where you spam comes from.
|
|
|
Indeed Jbif is thinking on exactly the same lines as lines as I am.
The spam isn't the issue; in general spam is such a part of the normal internet experience that in itself it does not merit mention. It s all filtered and dealt with automatically anyway for most people.
The point is the implication that the site data has been obtained and the potential risks beyond that.
It may be that passwords are stored in a secure form (I hope so), and that there is no issue. I'd also be interested in how full the rebuild was after the hack and what the possibility is of backdoor being installed.
Does Stephen Khoo maintain seeds in the data? I've done this ever since my early days of marketing fulfilment. Ficticious Name/Address combos which are held only in the one dbase so that you can detect theft of the data. I used to use my parents address as unlikely to change in years.
|
So, HJ, do you store passwords in encoded form, or is it likely that the hacker took those as well?
|
|
|
...and the potential risks beyond that....
The HJ site has my general correspondence email address and a unique 'strong' password for the backroom.
I imagine quite a few of us are in a similar position.
Spam, as adverse camber says, is a fact of internet life, but is there anything else I should be on the lookout for?
|
|
update...in addition to the paypal e mail now have had 2 from the abbey...what fun.
|
Yes had one from Abbey today went into the spam folder this time !!
I know spam is a everyday problem but in my case I am very fussy who I give my email address too!!
I have never had spam before except on a tiscali address which I closed down
|
I`ve just had the Abbey one - straight into Gmail spam - that`s only the second ever spam I`ve had in this account.
Had a minor panic just then and went through every other site I use (Amazon and so on) hoping I had not used the same password - no fortunately. But changed them all anyway while I was in there + a new exclusive password on this site.
That just leaves a newish Gmail account with a good, easy to remember front end picking up phishing scam for the first time.
What are opinions on what to do with this?
1) Keep it and leave it as HJ account too (as it already is.
2) Dump it and get a new main Gmail account + leave old account for HJ site.
3) Set up a temporary POP3 Virgin account to register - then void it.
It would really help to know if passwords were encrypted and what their future staus will be
4) Fuss about nothing - go to bed and forget about it??
Yawn ;-)
|
|
I don't think passwords are encrypted or at least they weren't a few years ago. I forgot mine and a mod was able to tell me what it was.
|
|
|
oilrag: Option 4 - good thinking!
I have a system of using random email addresses based on my domain name which enables me to trace the source of any spam - I even had a stack which originated from a competition I entered on Waitrose.com.
Encryption is the answer! Have a look at www.Steganos.com where you will find several useful tools to keep personal information safe in your own computer.
ePr*f
|
I'm pretty cheesed off by this, which has compromised a hitherto clean address - the Paypal email is the first spam received to this account - maybe I shouldn't have added it but it wasn't I who didn't keep it secure.
I would like an answer to the password encryption question, though I suspect I know it.
Why this site uses flaky homemade forum software when there is better, apparently more secure, and free stuff around with is another question.
|
HJ / Stephen,
Can you answer the specific question re passwords? Is someone out there now got all the email addresses and passwords for this website?
|
I've now changed my email for this site to a much-spammed one, lest it be lost again, though the horse has bolted.
It would be a good idea to email the facts to all subscribers, primarily for the benefit of the many who will not have seen this thread and might have had their email and password compromised.
Woe betides any organisation that mislays customer data. Just be happy this site doesn't ask for your date of birth.
|
Stephen, Can you answer the specific question re passwords?
I'm sure Stephen Khoo will provide some answers when he is back in the office on Wednesday or Thursday this week. DD
|
|
do you mean to say i didnt really just win 25,000,000 on the australian lottery !!!!!!!!
|
I can't say for this site, but certainly all the sites I have produced or worked on have had the passwords protected by means of MD5 hash. When you register a script changes the password you enter into a hash key. So the password which is stored is not your password but a hash key which is very very hard to reverse engineer. I cannot say for certain as I don't know ths specifics of this site, but I would guess your passwords are 100% secure unless you have spyware on your machine.
Also random spam generators are very easy to code, so if you have your email with one of the big providers like hotmail you will always get spam. If you have your domain it is harder but it is still fairly easy to guess new email addresses if you put an enough effort into generationg such a program.
Also if your address is visible spam pots would easily pick this up.
I know some companies are now turning to ASP.NET as they believe it is a lot less volunerable to attacks than PHP is. That said I still use PHP because its cheaper and so easy.
I remember in the old days I would spot security flaws all the time on the earliest database driven websites and I am no hacker but I can't remember the last time I spotted an obvious flaw (on any site) so things are getting a lot better.
|
Is the existing forum part of the site ever going to be secure though - unless the Forum is shut down and restarted with every member having to provide new passwords?
Unless the forum software logs a posters IP address, what`s to stop the lost email addresses (and presumably passwords) being used maliciously by someone else. To post under the genuine members nick.
Where does that possibility leave genuine members - with reference to the sites policy on personal accountability on material posted?
Edited by oilrag on 23/06/2009 at 09:34
|
You is a jerk oilrag yoo dunt no wat u talkin aboot - log into yoor bank ackount nowe on da sent emale.
(sorry ;-)
|
|
Is KeePass Password Manager software (which is free) any good?
|
Dear all,
Thank you for your comments and suggestions. We are taking this matter very seriously and have made improvements to our site security recently. We are looking into this matter further and will make a full announcement to all backroomers within 48 hours.
Many thanks
The HJ publishing team.
|
How do we know you are the HJ publishing team...........
You could be the hacker,
|
I think that's enough speculation for now. Let's wait for an answer.
DD.
|
|
|
|
|
|
|
|
