Discussion in 'Feedback & Suggestions' started by Dogbert666, 7 Sep 2016.
done,,,,,, thanks for the email
They're not the same vulnerability. The only way the Bit-Tech attack was discovered was when somebody found a site offering access to the leaked database. There were no signs on the server that anything had happened, and the hole the attackers had used was already patched. You're saying Bit-Tech should have been patched when the Hexus breach was discovered: it was. Trouble is, the Bit-Tech database had been leaked months earlier, and as the result of a different vulnerability in vBulletin.
If you'll permit me an illustrative example: let's say your colleague's company laptop is breached due to a flaw in Windows. The breach is discovered and all company laptops patched to prevent another leak. Months earlier, unbeknownst anyone, a completely different flaw in Windows was used to steal data from your company laptop. The attacker left no trace. What could the shared IT staff have done between the discovery that your colleague's laptop was hacked and the discovery that your laptop was hacked to protect you? Nothing, short of building a time machine.
Remember, we're talking about an attacker who took a dump of the database. They haven't been in the system lurking since January: they got in, took the data, and left without trace. The vulnerability used will have been patched when vBulletin was updated, but by then it was too late: the attacker is locked out, but already has the data.
Again: two different attacks, two different vulnerabilities. To descend into metaphor for a moment: you find out your next-door-neighbour was broken into thanks to a flaw in their lock which allows anyone to open and lock it again wthout leaving a trace. You use the same lock, so both you and your neighbour replace it with an updated version that fixes the flaw. Trouble is, months earlier someone broke into your house, photocopied your bank statements, and left. Neither the knowledge you have gained from your neighbour nor the new lock can prevent that: it has already happened, and the only way you'll know is if you find your bank statements for sale on some Tor site somewhere.
You refer to "the vulnerability". There is no one vulnerability here, and the vulnerability used to breach Hexus was patched in Bit-Tech as soon as the patch became available - which, if I'm understanding you, is what you believe should have happened. Even if both breaches used the same vulnerability, patching the hole in August doesn't prevent the attacker from gaining access in January.
Yes, and those technical staff kept vBulletin up to date with security patches on both sites. Trouble is, there's a window between the discovery and exploitation of a flaw and a patch being made available.
(Apologies for any mistakes - I'm on my phone.)
That's all I needed to know. Thanks.
If I'd known that, I could have saved myself considerable wrestling with autocorrect!
I forget that you're permanently stuck in verbose mode.
I CAN QUIT WHENEVER I WANT, DAMMIT.
Thanks for the heads up and might explain why someone got into my rockstar account recently (lol nothing there), I got in before any damage was caused. So I went around a few places (including here) changing passwords. Thankfully only used my crap passwords on these sites as it's all non-critical. Though it might have been someone brute forcing the password instead but I've never had it happen before with any other online account.
Sent from my SM-N915FY using Tapatalk
Done; thanks for the email, I probably would have overlooked this thread to be honest.
+rep for that link, apparently my data was also in the Adobe breach, so...yeah, time to start changing passwords. Again.
edit- lol, that rep power, he went from zero to hero instantly.
As a journo, he gets paid by the word, hard habit to break
I'm clean.... C L E A N !!!!
Awww... reminds me when Tel used to drop the rep bomb , it's proper broken but I don't want it to changed lol
You know the exact same thing happened to my own rockstar account. I had a different password from bit - tech though.
I had no email
Nor me, changed mine due to see this thread.
Lastpass saves the day! (again)
Is this the same LastPass that has been breached twice in the last five years? The vault hasn't been emptied as yet - maybe testament to it's resilience...
Personally, I think a central web-based resource for all your passwords is a bad idea - I don't care what encryption strength they claim, nothing is impregnable.
Yeh some remote password storing system, hmm count me out.
Written down works for me. If someone is willing to come into my house and find that then they have an agenda more than just posting under my forum name.
Any chance of us getting an SSL Certificate after this breach?
Its coming in the new forum apparently
Separate names with a comma.