We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
IMPORTANT! Have you received an email to your forum username?
Options
Comments
-
Staying off topic a sec (apologies everyone!) it can be that a DoS overwhelms the web application into faulting and sometimes the failure modes of web applications give away useful details. For instance, bullying a web server to make a huge number of database reads can overwhelm the database which will throw an exception. The web app if poorly implemented can then render that exception to the client for debugging purposes (for instance "error connecting to database at x/y/z location for username 'admin'"). That can be enough to chase after the x/y/z location (perhaps the database has its own IP address, for instance) and then you can brute force knowing that 'admin' is a valid username with priveleges.DrPaul wrote:All that DoS does is flood the server as if a million people are trying to access the site at the same time. It effectively takes the site down as either the server hardware can't cope or the network infrastructure can't keep pace but no way should it compromise the contents of the site.
Or potentially when the server is being overwhelmed, it may report that some or other SQL statement cannot be executed, revealing just a little of the database structure, possibly just enough to tailor a SQL Injection attack if they spotted a vulnerable search box, etc etc.
In short, DoS's can give useful information about the underlying architecture which allows extra probing. HTH.
And this certainly was a case of a compromised system, I also received the spam exclusively to an address I only use here.0 -
I feel so left out, I haven't had one yet. I'm depraved on account of i'm deprived
In all seriousness guys you've probably deleted worse threats without even realising it. Junk it and forget it. It's not the end of the world.
It's not like our posts are private, and if you're that concerned, change a couple of passwords....simples...EEK!
In reality how many of you use your [EMAIL="username@hotmail"]username@hotmail[/EMAIL], yahoo, msn etc? Could be a wild stab in the dark rather than a breach0 -
theres no reason why the spammers cannot just trawl for the usernames and then append them with all the common email provider names.
ie
ormus at yahoo, google, hotmail etc etc...
My user name is NOT registered as an email address so sorry to say this information has been harvested directly from the MSE website!0 -
Sounds like someone inadvertently enabled directory browsing on the server
Not quite - they restored the site from an unencrypted backup that they left in a public area on the server, incompetence is not a word I use lightly. And I won't say anything else about DDOS either, it is a red herring, as far as we know it hasn't happened here so why talk about it?
As a general note: having been in response teams myself, can people please not clamour for information on the state of the investigation while it is ongoing. It is very hard to work on resolving a situation when you are spending all your time explaining to people what you are doing to resolve a situation. In the past I have been in hourly update conference calls that have lasted 2 hours.Come on people, it's not difficult: lose means to be unable to find, loose means not being fixed in place. So if you have a hole in your pocket you might lose your loose change.0 -
MSE_Martin wrote: »Dear me,
Sometimes you can't do right for doing wrong. The point here was I learned of the frequency of attempts (which are very different from an actuall breach) not that someone is trying to crack us.
I dont really need to know the frequency, just that it is an issue and we need to deal with it. My technical team are the professionals on this, not me, and I have little to add apart from overarching policy on it - and deciding whether to invest in making things more secure (and what data we hold)
We have invested over the last year, including external assessmentas and consultants as we belive it important. Please don't try and pick holes in every word written- it is quite distracting from the job in hand.
Martin
Martin, you've missed my point. It's been mentioned that this isn't the first breach and therefore the frequency is extremely important. The frequency of the attacks also give a good indication of the level of target MSE is and therefore the resources that need to invested. As you're probably the person who decides how much to spend on consultants such information is vital.
I had a right go at some of the people who leave themselves open to cyber-crime last night. No doubt they're the same people who have been so quick to jump on the "Martin Lewis has sold our person details" bandwagon and those who also going on about data protection and fines.
I have no doubt that you are taking this extremely seriously and doing absolutely everything you need to do. I was just a bit surprised that you'd learnt something today that may have influenced your investment more in security over the last year had you known earlier.0 -
Just checked the email address that I used to sign up with and had the email in my junk folder.
I don't use the address for anything else. My join date is March 2009.0 -
I joined in April 2007 and still have the same email address that I registered with. I received one of these spam emails to my forum username but it had gone straight into my junk folder.0
-
just voted on the poll at top and it sayingVoters: 381. You have already voted on this poll
which i havent!!!??0 -
rightly or wrongly I believe it's personal responsibility to manage our passwords - the site only need to ensure our details given whilt we signed up are secure
No one could've advised on passwords in any case when there's been no evidence or details of any deliberate security breach. If the password isn't saved in any system, how does the virus get your password?
Of course the password is saved in the system, otherwise we wouldn't be able to login.
The password is hashed, but it's still the password, and it's going to vary from utterly trivial to somewhat difficult to crack it. Whether that's any use depends on whether the password has been used elsewhere. Which for most people I'm guessing it has.vBulletin stores its passwords in a hashed form. There is little chance of the hackers being able to retrieve passwords (or indeed, trying to) from this. The risk is slightly increased if you use a dictionary word as your password (which is never a good idea anyway). The biggest risk is of people following a link that then installs malware that sniffs for passwords on their computer, or otherwise tricks them into giving up their password.
Uh huh. Because that would be impossible and unthinkable. I mean why would they do that, it's not like a five minute dictionary attack on the user table wouldn't work or anything. And of course crackers haven't written any software to automate the process at high speed or anything. There's nowhere you could possibly go to discuss this topic
Nobody would possibly be interested in stealing your details at all. Nope.0 -
I got the email and joined in 2008 I think but a friend you can get to the poll joined in 2010 and didn't receive the email.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.2K Banking & Borrowing
- 253.2K Reduce Debt & Boost Income
- 453.7K Spending & Discounts
- 244.2K Work, Benefits & Business
- 599.3K Mortgages, Homes & Bills
- 177K Life & Family
- 257.6K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards