IMPORTANT! Have you received an email to your forum username?

Micky

Were posters advised of the original, historical breach? With the recommendation to change user name and/or associated email address?

Ed_Jogg

paddyrg wrote: »

This actually seems to be being handled well and transparently compared with most data breaches (which are not as uncommon as you may think). I've been watching Martin's posts and they show a very practical, pragmatic approach for a non-technical person trying to manage a technical problem.

....

So, dear MSE readers, the time for gnashing and frothing has passed, and instead it is worth recognising how well this is being handled. If you want to see examples of this being handled terribly by far bigger organisations, read the technical press (like theregister.co.uk). Computers are complicated, balls-ups happen, it's how you recover that counts. So far I doubt it could have been handled much better in honesty. And I'm sure if anyone demands a full refund of their site fees, Martin will be only too happy to oblige... ;-)

I wholeheartedly agree with paddyrg (whose full post is towards the top of this page.)

Computers use software to tell them what to do. They will execute this software 'perfectly' -- they will do exactly what the software tells them to do. The problem is that the software is written by humans (ultimately -- even if automatically generated by other software, which was written by humans) and humans are not perfect, ergo the software cannot be perfect. Hence all software contains bugs, as it is not possible to test for an infinite number of alternative scenarios. The most obvious/important bugs (should) be found and resolved before the software is released, but some sneaky (difficult to find) ones may remain. So, whenever a software update is released to fix some discovered bugs, more, even sneakier, bugs will have been introduced....

Security issues such as this are now a fact of life, and have to be handled in a controlled manner -- as being done by MSE -- if it worries you that much, the only alternative is that you'll just have to stop using your computer (and mobile phone, cable TV box, ...)

nilrem_2

Optimisticpair wrote: »

I received the trojan mail but only found it this morning. I also received a phone call a couple of days ago from a foreign girl asking me to check my PC. She hung up on me after I said I had anti spyware. Anyone else had this experience?

Just in case people here are concerned about the above, the phone call has no connection whatsoever with the current issue at MSE, though I can quite understand that anyone receiving such a call after reading about the MSE email might associate the two!

The phone call/virus scam has been about for quite some time now.

rosieben

paddyrg wrote: »

... So, dear MSE readers, the time for gnashing and frothing has passed, and instead it is worth recognising how well this is being handled. If you want to see examples of this being handled terribly by far bigger organisations, read the technical press (like theregister.co.uk). Computers are complicated, balls-ups happen, it's how you recover that counts. So far I doubt it could have been handled much better in honesty. And I'm sure if anyone demands a full refund of their site fees, Martin will be only too happy to oblige... ;-)

well said! :T

rosieben

Ed_Jogg wrote: »

...
Security issues such as this are now a fact of life, and have to be handled in a controlled manner -- as being done by MSE -- if it worries you that much, the only alternative is that you'll just have to stop using your computer (and mobile phone, cable TV box, ...)

and well said too!

mynewaccount

nilrem wrote: »

people are tending to be just a little paranoid about what is basically another spam email.

Except it's not just another spam email - it's a virus/trojan horse email sent only to members of this forum (and no other) with intent to trick them, using member details stolen from this forum.

That's rather different from an indiscriminate "we sell nice watches, come to our website" spam.

No-one is served by people sticking their heads in the stand over this issue and pretending that it has not happened. You can't keep yourself safe if you're in denial about the danger. It's managable of course, but people need to understand what happened and how it can affect them.

mynewaccount

paddyrg wrote: »

The passwords have not been breached, I'm pretty confident. VBulletin just doesn't work that way, it doesn't store passwords.

vBulletin stores two pieces of information (a hashed password, and a salt value) which, together, can be used to verify whether a particular word is, or is not, that user's password.

While that means that, if the database is breached, your password is not immediately readable to the human eye (e.g. it doesn't say "password") it means that anyone with computer knowledge can automatically try thousands of likely passwords (e.g. 123456, dragon, qwerty, master, football, monkey) to see which one 'adds up' to the hash and salt values in the database.

It's impossible to say whether passwords have been compromised or not - as Martin himself says, at the moment they simply don't know what has happened, just as they did not know back at the time of the first breach on this forum back in July 2009.

But, since we know that, at the very minimum, usernames and email addresses HAVE been compromised, it's reasonable to assume that other data in the forum database - e.g. your password, your date of birth, your Skype name, etc, (if you filled these in) could also have been taken.

It's only if you know the facts that you can mitigate your risk. e.g. if you filled in your Skype username on this forum, and you use the same password on Skype as you do on this forum, then it would be a good idea to change your Skype password immediately. Just in case. It does no harm to take precautions. (And be on the lookout for any suspicious emails that might address you by your Skype username, for example.)

If you use the same password on this forum as you use on Amazon (where you log in with your email address - which has definitely been compromised), CHANGE YOUR AMAZON PASSWORD just in case.

I think the advice given here previously - i.e. that if you've used the same username and password on other forums as you used on this one, it's worth changing the passwords elsewhere. If you've used the password you used on this forum anywhere else, it's best to change it.

It's not scaremongering to suggest that you take reasonable precautions once you become aware that secret information has been compromised. It's just a sensible step to take to make sure that this whole sorry business goes on to cause you as little hassle as possible. If everyone keeps a cool head then things will be fine.

StumpyPumpy

mynewaccount wrote: »

Except it's not just another spam email - it's a virus/trojan horse email sent only to members of this forum (and no other) with intent to trick them, using member details stolen from this forum.

Semantics.

If you want to argue the difference between the terms applied to different forms of malware and their delivery systems then there are better places to do it than here.
To Hormel's dismay, spam has become as synonymous to junk email as Hoover is to vacuum cleaning (though I don't think Hoover complained) And is used entirely appropriately here as a description of unsolicited, bulk email that most people will understand. It may not fit your definition of spam perfectly but it is close enough that everyone understands.
Right, got to go. Need to Electrolux my living room.

SP

MrRedundant

paddyrg wrote: »

This actually seems to be being handled well and transparently compared with most data breaches (which are not as uncommon as you may think). I've been watching Martin's posts and they show a very practical, pragmatic approach for a non-technical person trying to manage a technical problem.

The passwords have not been breached, I'm pretty confident. VBulletin just doesn't work that way, it doesn't store passwords.

The MSE team are wisely checking if this affects new members, or just older ones so they can determine if the system is currently vulnerable, or just previously so. This is excellent practice.

Systems are insecure, all of them. It's because they are so *complicated* that they have vulnerabilities, and they are complicated because people have a certain level of expectation of functionality. The more flexibility and whiz-bang you have, the greater the exposed surface of the application.

New vulnerabilities are found frequently, and new patches are developed to fix the vulnerable code. The webmaster/techies have to appraise each patch as to whether it is worth installing (as they may have to install other packages on top for the site to function as desired, it can take a while). As the fix is new code, it itself may open up new vulnerabilities and risk areas, but against that you will have some crimiinals eager to attack unpatched websites before the webmasters have a chance to update the code - these are called "zero-day exploits" and are just about impossible to guard against.

So we as internet members want ever increasing easier to use stuff, but in exchange we increase the risk of data breach. More functionality = more code = more risk. I think this site takes a pretty considered view on data security by only requiring the bare minimum possible to be able to provide you with a service. Some sites want your name, DoB, gender, etc., all of which is generally meaningless in the site's context, but great news for cybercriminals who may breach the system. This is a complex site, but most parts require no sign-up to use.

On this site, the links could all be affiliates, but the spirit of the site is to offer non-affiliate links too. It is clearly making a profit as it employs people and sponsors charities, and I applaud that. The only way it can do so is if people trust they are not being misadvised for the site owner's benefit, and that is the whole ethos of the site. Martin seems to be a canny fellow whose integrity has landed him well, he's not a stupid man, so of course he didn't sell the mailing list! That would RUIN his entire business model for the sake of a couple of grand, and even supposing he were that stupid, woukld the only sale he made be to a malware-installing spammer?

So, dear MSE readers, the time for gnashing and frothing has passed, and instead it is worth recognising how well this is being handled. If you want to see examples of this being handled terribly by far bigger organisations, read the technical press (like theregister.co.uk). Computers are complicated, balls-ups happen, it's how you recover that counts. So far I doubt it could have been handled much better in honesty. And I'm sure if anyone demands a full refund of their site fees, Martin will be only too happy to oblige... ;-)

Mr Lewis and this site turn over millions of pounds a year. Its no different to a bank or major retailer. If they had done this the media and those affected would be crucifying them especially when it transpired they knew about it for a year and did nothing.

meher

MrRedundant wrote: »

Mr Lewis and this site turn over millions of pounds a year. Its no different to a bank or major retailer. If they had done this the media and those affected would be crucifying them especially when it transpired they knew about it for a year and did nothing.

nothing about hypothetical tall tales?

Nohope wrote: »

I have received a reply from webmaster saying they are looking into it, so at least that is encouraging news.

I never received spam or webby's special attention. I genuinely feel left out by now.