1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

bit-tech forum alert: Please change your password

Discussion in 'Feedback & Suggestions' started by Dogbert666, 7 Sep 2016.

  1. singleton99

    singleton99 New Member

    Joined:
    5 Apr 2013
    Posts:
    2
    Likes Received:
    0
    done,,,,,, thanks for the email
     
  2. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    10,761
    Likes Received:
    897
    They're not the same vulnerability. The only way the Bit-Tech attack was discovered was when somebody found a site offering access to the leaked database. There were no signs on the server that anything had happened, and the hole the attackers had used was already patched. You're saying Bit-Tech should have been patched when the Hexus breach was discovered: it was. Trouble is, the Bit-Tech database had been leaked months earlier, and as the result of a different vulnerability in vBulletin.

    If you'll permit me an illustrative example: let's say your colleague's company laptop is breached due to a flaw in Windows. The breach is discovered and all company laptops patched to prevent another leak. Months earlier, unbeknownst anyone, a completely different flaw in Windows was used to steal data from your company laptop. The attacker left no trace. What could the shared IT staff have done between the discovery that your colleague's laptop was hacked and the discovery that your laptop was hacked to protect you? Nothing, short of building a time machine.

    Remember, we're talking about an attacker who took a dump of the database. They haven't been in the system lurking since January: they got in, took the data, and left without trace. The vulnerability used will have been patched when vBulletin was updated, but by then it was too late: the attacker is locked out, but already has the data.

    Again: two different attacks, two different vulnerabilities. To descend into metaphor for a moment: you find out your next-door-neighbour was broken into thanks to a flaw in their lock which allows anyone to open and lock it again wthout leaving a trace. You use the same lock, so both you and your neighbour replace it with an updated version that fixes the flaw. Trouble is, months earlier someone broke into your house, photocopied your bank statements, and left. Neither the knowledge you have gained from your neighbour nor the new lock can prevent that: it has already happened, and the only way you'll know is if you find your bank statements for sale on some Tor site somewhere.

    You refer to "the vulnerability". There is no one vulnerability here, and the vulnerability used to breach Hexus was patched in Bit-Tech as soon as the patch became available - which, if I'm understanding you, is what you believe should have happened. Even if both breaches used the same vulnerability, patching the hole in August doesn't prevent the attacker from gaining access in January.


    Yes, and those technical staff kept vBulletin up to date with security patches on both sites. Trouble is, there's a window between the discovery and exploitation of a flaw and a patch being made available.

    (Apologies for any mistakes - I'm on my phone.)
     
  3. David

    David RIP Tel

    Joined:
    7 Apr 2009
    Posts:
    12,529
    Likes Received:
    1,760
    That's all I needed to know. Thanks.
     
  4. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    10,761
    Likes Received:
    897
    If I'd known that, I could have saved myself considerable wrestling with autocorrect! :p
     
  5. David

    David RIP Tel

    Joined:
    7 Apr 2009
    Posts:
    12,529
    Likes Received:
    1,760
    I forget that you're permanently stuck in verbose mode. :lol: :p
     
  6. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    10,761
    Likes Received:
    897
    I CAN QUIT WHENEVER I WANT, DAMMIT. :worried:
     
  7. Isitari

    Isitari Member

    Joined:
    6 May 2009
    Posts:
    328
    Likes Received:
    16
    Thanks for the heads up and might explain why someone got into my rockstar account recently (lol nothing there), I got in before any damage was caused. So I went around a few places (including here) changing passwords. Thankfully only used my crap passwords on these sites as it's all non-critical. Though it might have been someone brute forcing the password instead but I've never had it happen before with any other online account.

    Sent from my SM-N915FY using Tapatalk
     
    David likes this.
  8. tristanperry

    tristanperry Active Member

    Joined:
    22 May 2010
    Posts:
    902
    Likes Received:
    37
    Done; thanks for the email, I probably would have overlooked this thread to be honest.
     
    David likes this.
  9. boiled_elephant

    boiled_elephant Whitelist Bit-Tech in your adblock!

    Joined:
    14 Jul 2004
    Posts:
    5,920
    Likes Received:
    424
    +rep for that link, apparently my data was also in the Adobe breach, so...yeah, time to start changing passwords. Again.

    edit- lol, that rep power, he went from zero to hero instantly.
     
  10. Fingers66

    Fingers66 Kiwi in London

    Joined:
    30 Apr 2010
    Posts:
    7,429
    Likes Received:
    447
    As a journo, he gets paid by the word, hard habit to break :D:D:D
     
  11. B1GBUD

    B1GBUD ¯\_(ツ)_/¯

    Joined:
    29 May 2008
    Posts:
    3,183
    Likes Received:
    357
    I'm clean.... C L E A N !!!!

    Awww... reminds me when Tel used to drop the rep bomb :waah:, it's proper broken but I don't want it to changed lol :lol:
     
  12. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,144
    Likes Received:
    135
    You know the exact same thing happened to my own rockstar account. I had a different password from bit - tech though.
     
  13. modd1uk

    modd1uk Well-Known Member

    Joined:
    4 Sep 2006
    Posts:
    3,125
    Likes Received:
    204
    I had no email :(
     
  14. CrapBag

    CrapBag Well-Known Member

    Joined:
    17 Jul 2008
    Posts:
    6,971
    Likes Received:
    215
    Nor me, changed mine due to see this thread.
     
  15. FuzzyOne

    FuzzyOne

    Joined:
    19 Sep 2002
    Posts:
    1,785
    Likes Received:
    31
    Lastpass saves the day! (again)
     
  16. David

    David RIP Tel

    Joined:
    7 Apr 2009
    Posts:
    12,529
    Likes Received:
    1,760
    Is this the same LastPass that has been breached twice in the last five years? The vault hasn't been emptied as yet - maybe testament to it's resilience...

    Personally, I think a central web-based resource for all your passwords is a bad idea - I don't care what encryption strength they claim, nothing is impregnable.
     
  17. CrapBag

    CrapBag Well-Known Member

    Joined:
    17 Jul 2008
    Posts:
    6,971
    Likes Received:
    215
    Yeh some remote password storing system, hmm count me out.
     
  18. Guest-16

    Guest-16 Guest

    Exactly.

    Written down works for me. If someone is willing to come into my house and find that then they have an agenda more than just posting under my forum name.
     
  19. deathtaker27

    deathtaker27 #noob

    Joined:
    17 Apr 2010
    Posts:
    2,051
    Likes Received:
    111
    Any chance of us getting an SSL Certificate after this breach?
     
  20. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,144
    Likes Received:
    135
    Its coming in the new forum apparently
     

Share This Page