FA admin account compromised (YES, AGAIN.)

[Conan]

Rhainor's account was broken into earlier this evening, and a few documents have been released on Lulz, so far this consists of two pages of admin comments for users Clayton and Cadbury.

http://i.imgur.com/n7p2L.jpg - Clayton
http://i.imgur.com/hUlHK.jpg - Cadbury

Rhainor was included among the Gawker leak, so there's a good chance this is again a problem that could have been prevented by forcing admins to use their @furaffinity emails and setting strong password rules.

[rodox_video]

and the gawker leak was HOW LONG AGO

[Conan]

After two admins denied that a hacking took place (They also graduated from the "Baghdad Bob" school of PR), Summercat posted:

We are aware of exactly how this went down, and have already taken a step that should fix how this went down from happening again. In specifics, someone broke into an admins IM and e-mail account, then contacted multiple admins saying that they had forgotten their password, and that the password reset was not working. One admin, after going through and verifying information as correct (I saw the log there), changed and reset the password on the account.

Wow.


Woooooooooooooooooooooooooooooooooooow.

And an update from the hacker (via Lulz):

If anyone is curious as to how I got in:
Basically, I hacked Rhainor's AIM and another one of his e-mail accounts, and then IMed BijouxDeFoxxe, an FA admin, to change my e-mail to the one I had hacked. Without much questioning at all (and very poor spelling), she does it, and that's how I got in. Basically, the FA admins are dumb gullible faggots.

In addition, I also got ArielMT to reveal to me what the current e-mail attached to Rhainor's account (That.Damn.Dragon@Gmail.com), without much questioning either. However, upon realizing it wasn't attached to the e-mail accounts I knew about, it ended up being a dead end. Xaerun also would have gladly done it if not for the fact that he was being barked at by one of the admins to only do such things through their admin IRC. He actually did send an e-mail with the new password to an account I claimed to be safe since it had a domain name in it (Rhainor@Far-side-of-reality.net, although it really redirects to his gmail), but it bounced for some odd reason. If it hadn't bounced, Xaerun would have given me access to the account.

I... there... THERE ARE NO WORDS.

[rodox_video]

that sure was a fuckton of effort just to get at clayton's rap sheet and some dogfucker pulling an internet tough guy act

[Freehaven]

Congratulations, Dragoneer, your site is being administrated by people who have no idea what social engineering is.

[a pigeon]

FA forums thread: http://forums.furaffinity.net/threads/93239-Another-day-another-hacking

A distillation of initial admin response:

we are changing [...] the admin who let the hacker in has been talked to [...] it is a developing situation [...] we really need [...] some additional internal policies [...] I'm evolving some policy and procedure suggestions for these situations [...] the solutions I am now proffering [...] I'm suggesting two non-exclusive options [...] going to be taking steps [...] I'm also suggesting a few things [...] a bit of fixing the fence after the cows are gone, but once we fix the fence we can get new cows [...] I've been quietly pondering possible answers

I understand that Sean doesn't delegate effectively and cannot deal with a lot of things, but I think it is better to admit that there is nothing you can do at the moment, than to use PR speak in order to make it look like something is being done. Papering over the problems only makes them worse in the long run.

edit:

http://forums.furaffinity.net/threads/93239-Another-day-another-hacking?p=2402927&viewfull=1#post2402927

A fairer response I guess. Still:

I had posted to the staff about account security and it seems it was ignored :/ So people need to write policy on top of policy or make more policy...

[Pi]

You wanna know what's cute? HBGary/Rootkit.com got owned in exactly this same way. Of course, since they're a security company, they're handling it a lot less gracelessly. FA's still going to be flailing about around this for another few months.

(I'm only reminded of this because my Twitter just got 0wned through that password leak. (Guess what I'm doing tonight? (going through and making sure I'm not using that password anywhere any more? i think so!)))

[Jim Demintia]

If I didn't know any better, I'd say something like, "Damn, 'Neer must be hitting the bottle pretty hard these days". I'd say that if I didn't know that his idea of "it's time to flirt with alcohol poisoning" is "Thursday".

Also, I really doubt the Gawker leak had much to do with anything. This seems like good old-fashioned social engineering. I think the only reason people thought that was because it happened to be what passes for news on the Internet at the time of FAleaks.

The real "issue" is people using shitheaded passwords. If the Gawker leak hadn't happened it's exceedingly likely the security events surrounding FA over the last few months would have played out largely in the same way.

It occurs to me that this guy seems like he is trying to copy-cat the FAleaks perpetrator(s). He's being far less discreet and "professional" about it too. It might be possible, should anyone (Dragoneer, fd_2 losers, whoever) try, to root this guy out and string him up as a scapegoat. Posting online boasting admitting you're "the hacker" is a big mistake, even if it is to a place like Lulz. As I recall there hasn't really been a first-person word one from the FAleaks people.

[rodox_video]

As I recall there hasn't really been a first-person word one from the FAleaks people.

Oh, there was. They just made a conscious decision to not say much.

[loki]

Maybe it would be a smart idea to stop giving all their admins super user privileges where they can do anything? They shouldn't give full admin powers to high school dropouts who really don't care about doing any work for the site; I'd only trust very few with that much power. I mean come on Dragoneer, how often do admins need to change the emails of other admins? Is this something that happens all the time and requires all admins to have that ability? Giving people levels of power would go a long way in preventing something like "FALeaks" from happening again.

[Pi]

Maybe it would be a smart idea to stop giving all their admins super user privileges where they can do anything?

The code has somewhere between 0 and 1 level of privilege (and 2 or 3 places where UIDs are checked in order to spew debugging information...), and 5 different user sigils. Good idea, but impossible for them to execute given their current codebase.

[Djinnie]

Maybe it would be a smart idea to stop giving all their admins super user privileges where they can do anything? They shouldn't give full admin powers to high school dropouts who really don't care about doing any work for the site; I'd only trust very few with that much power. I mean come on Dragoneer, how often do admins need to change the emails of other admins? Is this something that happens all the time and requires all admins to have that ability? Giving people levels of power would go a long way in preventing something like "FALeaks" from happening again.

Unfortunately, it's not quite that simple. The codebase is set up for an "all or none" type of access, either you get access to all admin abilities, or you get access to none. Full Stop.

The ability to look at user history is actually one of the few these days that doesn't require the admin log into the ACP with a separate password. Anything else, even deleting a shout, requires a separate login to the ACP from what I'm told, which I suppose is better than one session gets all access like it was prior to FAleaks.