»

[Karlos]

Dear all,

Several accounts here have been compromised in recent days. We have no evidence at this time to suspect that the server itself has been compromised. So far the issue appears to be one brought about through the use of weak passwords used across multiple forums as all of the known compromised accounts have been misused on other forums already.

With that in mind, please change your passwords for this and every other amiga forum you visit, making sure each one is unique and as strong as possible (use mixed case, numbers and symbols where you can, the longer the better).

We apologise for any inconvenience.

[Tripitaka]

Done. I just hope I don't loose the paper I wrote it on, I've no chance of actually remembering it. XD

[Matt_H]

Hypothesis: Wasn't one of the reasons Wayne moved away from Xoops the presence of some significant security holes? Maybe the AW.net server is the weak point. Is anyone in touch with the admins over there?

Fortunately, the only other place I'm registered is Morphzone, and my password there is so convoluted that even I can't remember it!

Just did a passwd Matt_H, nonetheless.

[orange]

Quote:

Originally Posted by Tripitaka

Done. I just hope I don't loose the paper I wrote it on, I've no chance of actually remembering it. XD

I hope its not 'hunter2'

[LoadWB]

Web security is fun. After reaching a total of 40-some passwords of my own I had to memorize, on top of customer passwords, I let Firefox save my passwords. In and of itself this is not secure, but I also encrypt my profile so obtaining the files without my private key is useless. Then each website uses a different password generated by apg, which creates NIST standard pronounceable passwords of whatever parameters you want, like 32 characters with special symbols and numbers, etc.

Default config (with -t to show pronunciations) creates something like this:

CrobOkus (Crob-Ok-us)
lidMuenn (lid-Muenn)
ciQuegsId9 (ci-Quegs-Id-NINE)
ubcorak$ (ub-cor-ak-DOLLAR_SIGN)
athGhakfum (ath-Ghak-fum)
dodMiuv[ (dod-Mi-uv-LEFT_BRACKET)

Or more complex, 32 character passwords which must contain capitals, lower-case, numbers, and special characters:

TafApJekAdd$ocealavwycsodbekcor9 (Taf-Ap-Jek-Add-DOLLAR_SIGN-oc-eal-av-wycs-od-bek-cor-NINE)
ucQuipsurrakbuzopp4ovVajDinchaj# (uc-Quips-urr-ak-buz-opp-FOUR-ov-Vaj-Dinch-aj-CROSSHATCH)
ScijyotNoimyatyeydPoodEwon1cylf& (Scij-yot-Noim-yat-yeyd-Pood-Ew-on-ONE-cylf-AMPERSAND)
~Ozvaujkent8OzdiCoiljevpanwogLoi (TILDE-Oz-vauj-kent-EIGHT-Oz-di-Coilj-ev-pan-wog-Loi)
TydTeogvalegHywridik/odJatovjan5 (Tyd-Te-og-val-eg-Hy-wrid-ik-SLASH-od-Jat-ov-jan-FIVE)
uskingAg3KigByldEegEdReejOckcur< (usk-ing-Ag-THREE-Kig-Byld-Eeg-Ed-Reej-Ock-cur-LESS_THAN)

I love this utility. If I forget a password (yeah, I'm not remembering 32 character passwords, for the most part,) or Firefox's save password is defeated (it happens,) then I just go through the process to create a new one. (And I didn't use any of the above here hehehe)

[bbond007]

Who is trying to hack Amiga sites anyway? Atari ST users?

[save2600]

Quote:

Originally Posted by bbond007

Who is trying to hack Amiga sites anyway? Atari ST users?

The Atari SF354 is the greatest, most useful and most reliable drive on the planet!

I also love the fact it requires it's own external power supply. So kewl!

[Duce]

Thanks for the heads up, Karlos. Changed mine.

Anyone looking for a quick and easy complex PW generator, try:

https://www.grc.com/passwords.htm

[Tripitaka]

Quote:

Originally Posted by orange

I hope its not 'hunter2'

Oh, you mean *******, hey that's odd, when I type it I just get stars. :/

[amiman99]

Quote:

Originally Posted by Duce

Thanks for the heads up, Karlos. Changed mine.

Anyone looking for a quick and easy complex PW generator, try:

https://www.grc.com/passwords.htm

Yes, I use similar website to generate my passwords.
Just changed mine on this and other forums, just to be safe and of course they are different across forums.

[tomazkid]

Quote:

Originally Posted by Matt_H

Hypothesis: Wasn't one of the reasons Wayne moved away from Xoops the presence of some significant security holes? Maybe the AW.net server is the weak point. Is anyone in touch with the admins over there?

Fortunately, the only other place I'm registered is Morphzone, and my password there is so convoluted that even I can't remember it!

Just did a passwd Matt_H, nonetheless.

The obsolete part it the cms, the xoops is old and obsoleted, and will be replaced, it takes time though.
The OS the site runs on, was changed when aw.net moved to a new ISP, and is up to date.

Quoting Karlos regarding where the passwords come from:

"We have no evidence at this time to suspect that the server itself has been compromised. "

Same goes at aw.net, Sibbi has not found anything strange in the logs this far.

[Pyromania]

Thanx Karlos

[Karlos]

Quote:

Originally Posted by Tripitaka

Oh, you mean *******, hey that's odd, when I type it I just get stars. :/

For those not following, see: http://bash.org/?244321

[Karlos]

Quote:

Originally Posted by Matt_H

Hypothesis: Wasn't one of the reasons Wayne moved away from Xoops the presence of some significant security holes?

There were a number of issues. The version of XOOPS that this site used previously (which I believe was even more obsolete than the install at AW) had weak hashing for passwords. However, the main impetus for moving to vB was that the hosting provider was set to remove all support for older PHP versions and associated libraries as part of a managed update to 5 (again, for security reasons). The version of XOOPS that was installed, which was extremely outdated by then proved to be incompatible (bits worked, other bits didn't, basically a classic legacy PHP4 style application struggling with changes to the Zend engine since PHP5) with the updates.

The decision to move to vB was down to a choice between an updated version of XOOPS that would work after the update but be problematic for all the old amiga browsers, or some other platform. The only reason the site stuck with it's ancient version XOOPS for so long in the first place was for classic amiga browser compatibility (that and the fact that there was no upgrade path for most of the installed modules, either). With that consideration being out of the window regardless, alternatives were evaluated and vB was chosen as it scored better on a number of critical areas, including security.

Quote:

Maybe the AW.net server is the weak point. Is anyone in touch with the admins over there?

Yes, we're in touch and cooperating on the problem.

Quote:

Fortunately, the only other place I'm registered is Morphzone, and my password there is so convoluted that even I can't remember it!

Just did a passwd Matt_H, nonetheless.

That's for the best. No matter how strongly we salt and hash your password, if it is the same as you use on half a dozen other sites and one of those is the weak link, there's not a lot we can do other than reset it for you.

So once again folks, change your passwords if you haven't already and under no circumstances use the same password on more than one forum!

[orange]

thank God its not Doomy, or this would have turned into amiga2000.org !