HWZ Forums

Login Register FAQ Mark Forums Read

[IMPORTANT] HWZ Account Security Advisory

Like Tree5Likes
Reply
 
LinkBack Thread Tools
Old 28-02-2018, 02:08 PM   #46
Great Supremacy Member
 
BlackCube's Avatar
 
Join Date: Jul 2003
Posts: 67,636
Good work on upgrading the user password requirements. This will hinder hackers trying to guess users' passwords based on social engineering. However, have any server side improvements been made? For example, just off the top of my head
1. Storing user passwords on the server securely, e.g. PBKDF2/bcrypt? Or, minimally salted hash (SHA-2 and stronger). This will greatly slow down attackers who have successfully gained access to the server passwords in trying to brute force/build rainbow tables to obtain user passwords in clear.
2. Sending the user an email whenever his/her account is accessed (either successfully or unsuccessfully) from an unknown machine. Google does this. Facebook does this. It ensures that even if an attacker has access to the user's credentials, the user will be notified of such illegitimate access, and hopefully will be prompted to change his/her password.

I would stop short of enforcing 2FA (from say, Google Authenticator or any other OATH compliant token) since I think this is kinda overkill and inconvenient for an Internet forum, but I know some forums do this.
I don't see how the password complexity is a upgrade since this kind of enforcement is outdated. But agreed with the rest.
BlackCube is offline   Reply With Quote
Old 28-02-2018, 06:03 PM   #47
Arch-Supremacy Member
 
Pyre's Avatar
 
Join Date: Jan 2000
Posts: 19,841
1. Storing user passwords on the server securely, e.g. PBKDF2/bcrypt? Or, minimally salted hash (SHA-2 and stronger). This will greatly slow down attackers who have successfully gained access to the server passwords in trying to brute force/build rainbow tables to obtain user passwords in clear.
2. Sending the user an email whenever his/her account is accessed (either successfully or unsuccessfully) from an unknown machine. Google does this. Facebook does this. It ensures that even if an attacker has access to the user's credentials, the user will be notified of such illegitimate access, and hopefully will be prompted to change his/her password.

I would stop short of enforcing 2FA (from say, Google Authenticator or any other OATH compliant token) since I think this is kinda overkill and inconvenient for an Internet forum, but I know some forums do this.
i'm pretty confident the admins know what to do and have good intentions for the community. whether they have a budget and resources for the additional infrastructure to execute the plan is another matter.

and my 2FA suggestion was 'optional' for general users to apply themselves. in other words the feature exists on the website, but let the user themselves decide if they want to use it. give them the ownership and responsibility of their account. granted those of administrative or senior positions within the organization may want to have 2FA enforced. or maybe enforce a 90-day password reset for accounts with accountability. there's plenty of ways to improve security, again the question is whether their hands are tied behind their backs.
Pyre is offline   Reply With Quote
Old 28-02-2018, 06:52 PM   #48
Administrator
 
Dr.Vijay's Avatar
 
Join Date: Jan 2000
Posts: 25,825
Hi Pyre,

As mentioned earlier, we'll be glad to update on further measures once they are in place. Several internal and external stakeholders are involved in this whole process, where one group is focusing on the investigation, while another is focusing on improving the security measures.

Meanwhile, thank you for your suggestions as well as those contributed earlier from other members - they are definitely appreciated and we can further share these inputs with the necessary working stakeholders.

Regarding the note about announcements, noted on that.
We've also emailed all members of this incident, but you do make a valid point since some emails may not be actively used. We'll take that into consideration. At the point when we issued the press release, all admin, and super moderator accounts were frozen, so we couldn't really get that option going back then.


captcha or it's derivatives are fine for bots and other brute force intrusion. but against sophisticated programs or even another human, we need something better (not something cheaper).

surprised no one mention optional 2FA with address location and login duration limits. that way user can control not only where but how long their logins are allowed eg: in the event that they are working on public terminals, they can allow access for just that login session only etc.

and HWZ admins please have some process or workflow to announce security announcements via member PMs. i found out about the breach via CNA instead of from HWZ itself (they kept it in some announce sub-forum which i rarely visit). yet i always get advertisement PM spam easily. kinda ironic.
__________________
Vijay Anand
Editor-in-Chief (www.HardwareZone.com) and Forum Administrator
Dr.Vijay is offline   Reply With Quote
Old 01-03-2018, 04:44 PM   #49
Moderator
 
galapogos's Avatar
 
Join Date: Aug 2000
Posts: 29,859
I don't see how the password complexity is a upgrade since this kind of enforcement is outdated. But agreed with the rest.
I can't remember what the password policy was previously, but any increase in password complexity will deter password guessing attacks, both online (where attackers try to guess commonly used passwords to log into the website in real time and offline (where attackers get hold of the password information from the server, assuming passwords are not stored on the server side in clear).

Assuming a simple, weak MD5 hash is used (very frowned upon, but hey, short of storing the password in clear, this is the worst case scenario) it would take a 8x GTX1080 cluster only about 2.5 hours to crack the entire range of possible passwords (An Amazon cloud instance might do this even faster). If we upgrade the password complexity to include special characters, this number increases to 73 hours. Increase the min password length to just 10 characters, and this number increases to 76 years. The point is, increasing password complexity helps.

i'm pretty confident the admins know what to do and have good intentions for the community. whether they have a budget and resources for the additional infrastructure to execute the plan is another matter.
My experience with web developers is that they may not know security, so I'm not as confident as you are. Infra guys may be better in deploying proper tiered architecture with appropriate firewalls, WAFs, maintain properly patched systems, implement proper encrypted comms between systems, etc, but again this depends on how competent the infra guys, and like you said, the budget for the server architecture.

and my 2FA suggestion was 'optional' for general users to apply themselves. in other words the feature exists on the website, but let the user themselves decide if they want to use it. give them the ownership and responsibility of their account. granted those of administrative or senior positions within the organization may want to have 2FA enforced. or maybe enforce a 90-day password reset for accounts with accountability. there's plenty of ways to improve security, again the question is whether their hands are tied behind their backs.
Good idea. Higher privileged accounts should always have stricter authentication requirements as a rule of thumb.
__________________
Remember that no matter how strong you think you are there's a little Chinese girl warming up with your max...

HWZ lifting Stats


PM me for iherb discount code

Last edited by galapogos; 01-03-2018 at 04:55 PM..
galapogos is offline   Reply With Quote
Old 01-03-2018, 08:49 PM   #50
High Supremacy Member
 
Machiavel's Avatar
 
Join Date: Apr 2015
Posts: 37,539
Sorry about that - I meant to say Enable.
I've edited the posts above.
btw i am able to login without clicking on any captcha? .. which you need to reconfigure the recaptcha.
__________________
品人品文千人千面,无缘不必强求,有缘必再相见

Last edited by Machiavel; 01-03-2018 at 08:54 PM..
Machiavel is offline   Reply With Quote
Old 01-03-2018, 08:54 PM   #51
Administrator
 
Dr.Vijay's Avatar
 
Join Date: Jan 2000
Posts: 25,825
Dear members,

As part of the ongoing updates to the site, you'll notice that our site has switched over to the HTTPS protocol.

Should you encounter any access errors (at least not related to non-HWZ apps), please do help us report them here or on the feedback forum for us to troubleshoot.

Thank you.
__________________
Vijay Anand
Editor-in-Chief (www.HardwareZone.com) and Forum Administrator
Dr.Vijay is offline   Reply With Quote
Old 01-03-2018, 08:59 PM   #52
Administrator
 
Dr.Vijay's Avatar
 
Join Date: Jan 2000
Posts: 25,825
Was it a re-login?
I experienced that too and it was mentioned that recaptcha's current version doesn't ask you all the time - there's some analysis on its end to sense when it needs to prompt and when it doesn't.

Here's something on it:-
https://security.stackexchange.com/q...gles-recaptcha

btw i am able to login without clicking on any captcha? .. which you need to reconfigure the recaptcha.
__________________
Vijay Anand
Editor-in-Chief (www.HardwareZone.com) and Forum Administrator
Dr.Vijay is offline   Reply With Quote
Old 01-03-2018, 09:04 PM   #53
High Supremacy Member
 
Machiavel's Avatar
 
Join Date: Apr 2015
Posts: 37,539
Was it a re-login?
I experienced that too and it was mentioned that recaptcha's current version doesn't ask you all the time - there's some analysis on its end to sense when it needs to prompt and when it doesn't.

Here's something on it:-
https://security.stackexchange.com/q...gles-recaptcha
I am assuming you guys are using invisible captcha.
It is not a relogin issue. I have validate it by using incognito mode and also VPN.





https://developers.google.com/recaptcha/docs/versions
__________________
品人品文千人千面,无缘不必强求,有缘必再相见

Last edited by Machiavel; 01-03-2018 at 09:07 PM..
Machiavel is offline   Reply With Quote
Old 01-03-2018, 09:08 PM   #54
High Supremacy Member
 
Machiavel's Avatar
 
Join Date: Apr 2015
Posts: 37,539
You just need to setup the checkbox option and dont set the difficulty of the captcha too high.
EDMWers are not very smart.

If you have HTTPs just use 302 to redirect HTTP traffic to HTTPs.
your HTTP should also be writing a forwarder rule to redirect to HTTPs btw.
__________________
品人品文千人千面,无缘不必强求,有缘必再相见

Last edited by Machiavel; 01-03-2018 at 09:17 PM..
Machiavel is offline   Reply With Quote
Old 01-03-2018, 09:27 PM   #55
Senior Member
 
magnesium1's Avatar
 
Join Date: Oct 2013
Posts: 2,053
Dear Doctor Vijay,

I am 'glad' that hardwarezone is being hacked!

Don't get me wrong. Before the hack, where were your internal stakeholders? Still daydreaming I guess.

Hardwarezone is being neglected for so long (as evidenced from the how little new features introduced and no upgrade on the vbulletin). So, the positive side from the incident, someone is working hard to improve hardwarezone.

Hi Pyre,

As mentioned earlier, we'll be glad to update on further measures once they are in place. Several internal and external stakeholders are involved in this whole process, where one group is focusing on the investigation, while another is focusing on improving the security measures.

Meanwhile, thank you for your suggestions as well as those contributed earlier from other members - they are definitely appreciated and we can further share these inputs with the necessary working stakeholders.

Regarding the note about announcements, noted on that.
We've also emailed all members of this incident, but you do make a valid point since some emails may not be actively used. We'll take that into consideration. At the point when we issued the press release, all admin, and super moderator accounts were frozen, so we couldn't really get that option going back then.

magnesium1 is offline   Reply With Quote
Old 01-03-2018, 09:28 PM   #56
High Supremacy Member
 
Join Date: May 2001
Posts: 28,798
Dear members,

As part of the ongoing updates to the site, you'll notice that our site has switched over to the HTTPS protocol.

Should you encounter any access errors (at least not related to non-HWZ apps), please do help us report them here or on the feedback forum for us to troubleshoot.

Thank you.
PC browsers still report the forum pages as "Your connection to this site is not fully secure". Login page, my subscriptions, private message, profile page are secure.
jeff79 is offline   Reply With Quote
Old 02-03-2018, 12:30 AM   #57
Administrator
 
Dr.Vijay's Avatar
 
Join Date: Jan 2000
Posts: 25,825
It is due to external images and scripts.

This will greatly differ based on what's on each page that's being loaded from external sources.

For example, when I made this post here pertaining to your same query, the page was showing it was secure:-
https://deluxeforums.hardwarezone.co...3-post888.html


PC browsers still report the forum pages as "Your connection to this site is not fully secure". Login page, my subscriptions, private message, profile page are secure.
__________________
Vijay Anand
Editor-in-Chief (www.HardwareZone.com) and Forum Administrator
Dr.Vijay is offline   Reply With Quote
Old 23-03-2018, 08:57 PM   #58
Administrator
 
Dr.Vijay's Avatar
 
Join Date: Jan 2000
Posts: 25,825
Hi Machiavel,

This is fully resolved by now; all non-HTTP links should point to the HTTPS versions

If you have HTTPs just use 302 to redirect HTTP traffic to HTTPs.
your HTTP should also be writing a forwarder rule to redirect to HTTPs btw.
__________________
Vijay Anand
Editor-in-Chief (www.HardwareZone.com) and Forum Administrator
Dr.Vijay is offline   Reply With Quote
Old 23-03-2018, 09:24 PM   #59
Administrator
 
Dr.Vijay's Avatar
 
Join Date: Jan 2000
Posts: 25,825
Dear members,

As part of the ongoing updates to the site, we've now removed all optional forum data fields in the user profile - apart from the PC configuration detail section.

Thank you.
Pyre likes this.
__________________
Vijay Anand
Editor-in-Chief (www.HardwareZone.com) and Forum Administrator
Dr.Vijay is offline   Reply With Quote
Old 06-04-2018, 09:19 PM   #60
Administrator
 
Dr.Vijay's Avatar
 
Join Date: Jan 2000
Posts: 25,825
Dear all,

We've revised the password complexity rules once more.

Minimum complexity is now 8 characters, of which all of the following must be present:- 1 upper case, 1 lower case, a numeral and a special character.

This detail will also be present on the password update page.

There will be more ongoing updates and we'll update here as soon as we've implemented them, as well as when there are more findings to update.

Thank you for your kind patience.
__________________
Vijay Anand
Editor-in-Chief (www.HardwareZone.com) and Forum Administrator
Dr.Vijay is offline   Reply With Quote
Reply
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Terms of Service for more information.


Thread Tools

Posting Rules

Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On