Author Topic: FA admin account compromised (yet again) (Read 23502 times)

an hoopoe · « **on:** December 16, 2010, 05:59:18 am »

Some people are reporting that they've had submissions deleted from their gallery before the site was taken offline:

This was posted on the front page just before FA was taken offline:

I wonder what it was this time. Certainly looks like the "Fender" account was compromised. The link to a raffle redirected people to this: http://www.youtube.com/watch?v=MebsbmufgVQ (Apparently NSFW)

Jim Demintia · « **Reply #1 on:** December 16, 2010, 08:16:51 am »

Well, you can still log in at the https login page, as that's the one I have bookmarked. You enter your username and password and it then brings up the "FA will return shortly" page.

Oh, and I don't know how many folks here are aware, but Gawker Media was hacked recently and more than 185,000 passwords have been leaked onto the public Internet. This has been more damaging than you'd think because a lot of people use the same god damn password for everything. This has resulted in a lot of collateral damage, ex. Gmail accounts hacked and the like.

It would not surprise me in the least if at least one FA admin was one of those people who uses one password for everything. In fact, it would surprise me if there wasn't at least one FA admin who did this.

rodox_video · « **Reply #2 on:** December 16, 2010, 09:06:39 am »

That's pretty cute, although I probably would have pointed that link here instead.

Mondegreen · « **Reply #3 on:** December 16, 2010, 10:12:40 am »

Quote from: Jim Demintia on December 16, 2010, 08:16:51 am

Gawker Media was hacked recently and more than 185,000 passwords have been leaked onto the public Internet. This has been more damaging than you'd think because a lot of people use the same god damn password for everything. This has resulted in a lot of collateral damage, ex. Gmail accounts hacked and the like.

http://www.bbc.co.uk/news/technology-11998648

Quote from: BBC News

Most common hacked Gawker passwords:
123456 (3074)
password (1954)
12345678 (1119)
lifehack (661)
qwerty (418)

Oh dear

ProvincialTwit · « **Reply #4 on:** December 16, 2010, 10:30:26 am »

So much for "god", "sex", "love", and "money". Hurp lurp 90s reference.

Anyway it seems like it's someone who knows at least something about FA and/or furries in general, if they named specific artists (are those people popular? I have no idea). So once again Furry Will Eat Itself.

If it was anyone from Viv, they will be ~~given a fucking medal of honor~~ better off not admitting it or I guess we'll have to ban them or something, maybe.

Jim Demintia · « **Reply #5 on:** December 16, 2010, 11:44:49 am »

Zaush is Adam Wan. I am told his ED article is pretty much true, so go there and see Patient Zero in the Popular Asshole That Could Not Succeed Outside of Furry disease.

Oh, and to be fair about the Gawker passwords, it's not like a blog commenting account is a banking account, so who really cares if you use a dumb password. The problem is when the password on your blog commenting account(s) and your bank account are the same. I had to lol at the OMG SRS BZNSS tone of all the blog posts about it though. C'mon people. Gawker writes semi-substantiated gossip for self-important hipsters. Who gives a shit, really?

Pi · « **Reply #6 on:** December 16, 2010, 12:28:03 pm »

Quote from: IRC

<yak[away]> cue rage about recycled passwords
<@Pi> cue rage about your admins being morons
<yak[away]> not all
<@Pi> oh, just the vast majority of them, my mistake
<@Pi> fwiw your userbase sees it as a triumph that you've "only" been compromised due to insecure passwords three times
<yak[away]> the userbase [isn't] at all tech savvy. if whoever got admin account knew what they were doing the damage could have been ugh, slightly less then catastrophical.

Jim Demintia · « **Reply #7 on:** December 16, 2010, 12:31:42 pm »

So what was the damage, in all? And who the hell's account was it? And you know, I know this is way beyond Yak's pay grade, but it occurs to me that if admin account X (or any account really) is accessed from Reston, VA (to name a place completely and totally at random) at 3:01AM and then again from San Francisco, CA at 3:34AM...SEEMS LIKE SOMETHING MIGHT BE UP. Maybe? I dunno.

Conan · « **Reply #8 on:** December 16, 2010, 12:35:01 pm »

Quote from: Pi on December 16, 2010, 12:28:03 pm

Quote from: IRC
<yak[away]> cue rage about recycled passwords
<@Pi> cue rage about your admins being morons
<yak[away]> not all
<@Pi> oh, just the vast majority of them, my mistake
<@Pi> fwiw your userbase sees it as a triumph that you've "only" been compromised due to insecure passwords three times
<yak[away]> the userbase [isn't] at all tech savvy. if whoever got admin account knew what they were doing the damage could have been ugh, slightly less then catastrophical.

That's the reason they don't patch security holes either. "Nobody's smart enough to use them!" Yeah okay...

Quote from: Jim Demintia on December 16, 2010, 12:31:42 pm

So what was the damage, in all? And who the hell's account was it? And you know, I know this is way beyond Yak's pay scale, but it occurs to me that if admin account X (or any account really) is accessed from Reston, VA (to name a place completely and totally at random) at 3:01AM and then again from San Francisco, CA at 3:34AM...SEEMS LIKE SOMETHING MIGHT BE UP. Maybe? I dunno.

I'm sure in the coming hours Dragoneer will send his white knight brigade (Twitter) after them. FOR THE GOOD OF THE COMMUNITY!

Pi · « **Reply #9 on:** December 16, 2010, 12:36:00 pm »

Quote from: Jim Demintia on December 16, 2010, 12:31:42 pm

So what was the damage, in all? And who the hell's account was it?

You know that we won't ever get an answer, just a series of internet memes.

My money is on Pinkuh. She seems just that dumb.

Conan · « **Reply #10 on:** December 16, 2010, 12:53:22 pm »

Quote from: Pi on December 16, 2010, 12:36:00 pm

Quote from: Jim Demintia on December 16, 2010, 12:31:42 pm
So what was the damage, in all? And who the hell's account was it?
You know that we won't ever get an answer, just a series of internet memes.

My money is on Pinkuh. She seems just that dumb.

Yep...

EDIT: I love how most users on FAF are pointing fingers, blaming the "trolls", and giving FA asspats instead of questioning FA's security practices. Password expiration? What's that?

Jim Demintia · « **Reply #11 on:** December 16, 2010, 01:59:41 pm »

Quote from: Conan on December 16, 2010, 12:53:22 pm

EDIT: I love how most users on FAF are pointing fingers, blaming the "trolls", and giving FA asspats instead of questioning FA's security practices. Password expiration? What's that?

You really don't even need that. I see a lot of people suggesting that and other stuff in the wake of the Gawker attack, but you know what? My dad used to work for a major multinational. They had stringent security policies and a strict password policy. They enforced it. Well, as much as they could. He pretty much openly admitted to me that he had the same password for years and years but just incremented a number on the end. People will go to great lengths to subvert your password policy. At some point you approach inconvenience, and that brings another set of security problems with it.

My suggestion is to have a basic strength requirement in place and then do server side monitoring. Like I said, it's not hard to establish a pattern of normal access, credit card companies have done this for years, if not decades. They pioneered the technique. People are going to access their accounts from the same places, most of the time. If some access seemingly violates the laws of time and space, then something should happen. An alert maybe. Maybe a secret question should be asked. Who knows. I'm not going to invent this system for them, but the technology exists.

There's a million ways to mitigate this stuff, it's just a question of available skill, really.

For what it's worth, I never got a Gawker commenting account because something about having to impress some dumbshit blogger to get my comments published seemed like a gigantic waste of time.

Conan · « **Reply #12 on:** December 16, 2010, 02:40:24 pm »

Now they're claiming it's not Pinkuh.

Time to run the rest of the admins through that thing and see what happens.

Jim Demintia · « **Reply #13 on:** December 16, 2010, 03:02:54 pm »

Dragoneer will tell someone in a private chat and the log will be leaked in 3...2...

MazelTovCocktail · « **Reply #14 on:** December 16, 2010, 03:23:56 pm »

If it would've been Pinkuh, I think it would've been a twist of delicious irony if the person who got into the account kept things on the down-low, had some sort of huge shitfit (preferably in a manner as close to being in Pinkuh's character as possible), and got the account banned.

If it was Pinkuh's, I'm very disappointed in whoever got in there for not making that happen. I'd have paid, like, a million pesos to watch the banbitch get banned.

Conan · « **Reply #15 on:** December 16, 2010, 03:44:39 pm »

I downloaded the Gawker database and ran every FA admin's username, and if they listed it, email address through it. I got two results other than Pinkuh.

A possible match for Irreverent. They list no email address on their FA page, and the email doesn't seem to support a match.
Then there's Rhainor, or Gawker user zachcoggin. Email addresses match. The irony here is his FA page says "Greetings. My name, as you can see, is Rhainor. No, it's not my Real name; I'm not about to give my Real name across an unsecured web site.", yet it seems he used his real name for his Gawker username.

Jim Demintia · « **Reply #16 on:** December 16, 2010, 03:49:28 pm »

It seems like people are just wishing it was Pinkuh. It seems a more likely scenario is one of those semi-dormant administrators they have got hacked. I don't know if they de-op inactive admins, but I remember from the FA retrospectacle thread they seemed to have a lot of admins who did very little with the site.

Another thing to remember is there are like 1.2 million accounts in that database, but only 185,000 or so were accompanied by decrypted passwords.

loki · « **Reply #17 on:** December 16, 2010, 08:45:18 pm »

So here's a really interesting question.... does the admin shoutbox still have the same XSS holes they had in the mouse-over previews? I remember being able to send off user cookies to a server and then using those session IDs to log in as the user..... Could you imagine if they had harvested some user accounts by posting that News item?

Also, on the note of passwords, at work I have to change mine every 3 (2 maybe?) months and I can't use any password I've used in the last NINETEEN times I've changed it.

Conan · « **Reply #18 on:** December 16, 2010, 10:47:52 pm »

Quote from: loki on December 16, 2010, 08:45:18 pm

Also, on the note of passwords, at work I have to change mine every 3 (2 maybe?) months and I can't use any password I've used in the last NINETEEN times I've changed it.

My High School made us change our passwords monthly. It was set up to let people keep the same one (even though the teachers and staff always said you couldn't), though... I just don't think they were aware that was broken (Their tech people may have been more incompetent than FA.)

an hoopoe · « **Reply #19 on:** December 17, 2010, 04:31:32 am »

It seems that now, every single member of staff (Except Yak) has had their account changed to "member" level or set as "deceased". Dragoneer also had his gallery wiped & a journal was posted on his account:

Edit:

In Dragoneer's own words, this is apparently what happened:

Quote from: dragoneer

It turns out there's an XSS vulnerability in the trouble ticket system. Somebody was attacking every single point of the site, and apparently one of the reason updates to the TT's broke something, and they managed to exploit it that way. We saw a lot of other attempted XSS attacks, then this.

Ratte's account got hijacked simply because she was trying to help people, and then Ratte's account was used to attack FA (and then mine). So that's what we're seeing right now. We've closed off almost everything admin-wise.