Heartbleed fun at AATG


Author Reply
dirtbox
Flag
Posts:80
Comments:6
Thread Kills:1(1%)
AATG Pts:30
Star Rating
Bronze Medal
Edit: removed the links.

If you have an account here older than 2 years it has been compromised.

If you have the same password you use for AATG attached to either your username or email address on any other site, change them now.
#1 at 11:45:57 - 11/07/2014
darren
Flag
Posts:1
Comments:0
Thread Kills:0(0%)
AATG Pts:0
Star Rating
Better change your passwords, chaps!

~dirtbox
#2 at 11:51:28 - 11/07/2014
Syrok
Flag
Posts:3720
Comments:452
Thread Kills:81(2%)
AATG Pts:155
Star Rating
Bronze Medal
Ugh, thanks for letting us know.
#3 at 12:22:18 - 11/07/2014
dirtbox
Flag
Posts:80
Comments:6
Thread Kills:1(1%)
AATG Pts:30
Star Rating
Bronze Medal
I wouldn't bother changing them just yet though, just change the passwords on any other sites that are the same.

This site's database apparently stores them all in plain text and can be brute forced at any time for a fresh new list of current passwords until Hairy puts some sort of encryption in place.
#4 at 12:33:33 - 11/07/2014
DDevil
Flag
Posts:531
Comments:240
Thread Kills:15(3%)
AATG Pts:135
Star Rating
Gold Medal
Well, I picked a good day to remember AATG exists...

Glad I don't use that password elsewhere!
#5 at 13:30:24 - 11/07/2014
dirtbox
Flag
Posts:80
Comments:6
Thread Kills:1(1%)
AATG Pts:30
Star Rating
Bronze Medal
Whatever you say, ceilingtom!
#6 at 13:31:17 - 11/07/2014
Flying_Pig
Flag
Posts:1155
Comments:277
Thread Kills:25(2%)
AATG Pts:150
Star Rating
Silver Medal
Thanks for the heads-up!!

Had to change a few passwords, but nothing too worrying!
#7 at 13:51:58 - 11/07/2014
billdoor
Flag
Posts:3878
Comments:183
Thread Kills:157(4%)
AATG Pts:180
Star Rating
Bronze Medal
odd, can't see my email on there. Which is a defunct lineone.net addy :)
#8 at 14:16:15 - 11/07/2014
billdoor
Flag
Posts:3878
Comments:183
Thread Kills:157(4%)
AATG Pts:180
Star Rating
Bronze Medal
btw, in the interim should we all change our passwords to Russian boys love cock?
#9 at 14:16:58 - 11/07/2014
DDevil
Flag
Posts:531
Comments:240
Thread Kills:15(3%)
AATG Pts:135
Star Rating
Gold Medal
dirtbox said:Whatever you say, ceilingtom!

Hah, you wish you guys were still interesting enough to spy on.

In reality, I do tend to wander into here once a month or so, when bored. First time in quite a while there's been anything going on, and it's a security leak. Wheeeeeeeee.
#10 at 14:37:21 - 11/07/2014
dirtbox
Flag
Posts:80
Comments:6
Thread Kills:1(1%)
AATG Pts:30
Star Rating
Bronze Medal
Ignore the pastebin, it's just a gmail scrape and doesn't contain anything sensitive.

If your account is older than 2 years, it's on the russian site.
#11 at 14:44:32 - 11/07/2014
HairyArse
Flag
Posts:6387
Comments:1774
Thread Kills:127(2%)
AATG Pts:350
Star Rating
Gold Medal
Yo.

First things first, the site passwords are not saved in plain text in the database. They're hashed and salted but it appears the encryption was broken.

I'm not entirely sure what I can do about this to be honest. What I can tell you is that the site's database and hosting have all changed since this happened with new usernames and password applied to the hosting and database.

Obviously you should all change your passwords. If anyone else has any other suggestions on how I can better protect against this then I'm all ears.
#12 at 14:54:21 - 11/07/2014
dirtbox
Flag
Posts:80
Comments:6
Thread Kills:1(1%)
AATG Pts:30
Star Rating
Bronze Medal
Well you can start by sending out a group email, BCCing everyone's email attached to their aatg account, explaining the situation and suggesting they change any password that is attached to that username or email that is the same as AATG's.

Changing their AATG password is pointless now, it's everything else that is vulnerable.
#13 at 15:01:23 - 11/07/2014
dirtbox
Flag
Posts:80
Comments:6
Thread Kills:1(1%)
AATG Pts:30
Star Rating
Bronze Medal
And you need to change your encryption to SCRAM-SHA-1 or something that includes the username along with the password before the MD5crypt hash.
#14 at 15:08:21 - 11/07/2014
HairyArse
Flag
Posts:6387
Comments:1774
Thread Kills:127(2%)
AATG Pts:350
Star Rating
Gold Medal
I'm pretty sure I emailed all users when I first got wind of this a couple of years ago, actually. It's one of the things that prompted me to change hosts in the first place. Although I've just had a look in my sent mail folder and can't see any evidence of it.

If I can't find evidence to confirm I did do this once already then I'll do it again.
#15 at 15:08:30 - 11/07/2014
dirtbox
Flag
Posts:80
Comments:6
Thread Kills:1(1%)
AATG Pts:30
Star Rating
Bronze Medal
I didn't hear anything about that.

You knew about this for 2 years?

ed: just checked my email, you didn't let me know and I've searched the site and there's no thread about it. Also no mention on EG.

I don't know what to make of this.
#16 at 15:11:18 - 11/07/2014
HairyArse
Flag
Posts:6387
Comments:1774
Thread Kills:127(2%)
AATG Pts:350
Star Rating
Gold Medal
I will look into that as it's not something I've come across before.

I'm also going to have to try and decipher Shivoa's code as he's the one that wrote the login/registration script in the first place.
#17 at 15:11:57 - 11/07/2014
dirtbox
Flag
Posts:80
Comments:6
Thread Kills:1(1%)
AATG Pts:30
Star Rating
Bronze Medal
Sounding like a stuck record here, but I just need to clarify - are you saying you knew about this for 2 years but didn't tell anyone else that was effected?
#18 at 15:18:05 - 11/07/2014
mal
Flag
Posts:531
Comments:165
Thread Kills:40(8%)
AATG Pts:85
Star Rating
It's odd that neither of my accounts emails seem to be in the pastebin output. Perhaps it's intercepting login cookies on the server, and then viewing the profile using that cookie to get the email (and undoing the obvious email obfuscation therein), and since I've barely been on the internet these past few weeks mine's not been scooped (until today, oops).

But no offense, it seems a little unlikely that some of those old-timers were regularly visiting here, or am I wrong?

On the other hand, perhaps the passwords were cracked by brute force. I've not checked the russian forum thread, so I don't know what they claim they've got. But my password here should be realatively easily brute forced, provided they found my username somewhere (if they were logging in via the web front end, user id gets you nowhere, it's user name you need). If they were brute-forcing via the http server, it should be relatively easy to spot in your logs though.

Those seem the most obvious vectors to me that fit the fact they don't seem to have found my email address: sniffing session cookies by something installed either on the server or close to it (but that wouldn't give them passwords), or brute-forcing the web interface (but that would be in the logs). Or, thinking about it, if they got close enough to sniff cookies, they could be close enough to watch for form submits containing people's passwords in the clear, though again, I doubt all those people are actually logging on (rather than relying on non-expiring cookies) to get onto aatg all that regularly.
#19 at 15:31:54 - 11/07/2014
dirtbox
Flag
Posts:80
Comments:6
Thread Kills:1(1%)
AATG Pts:30
Star Rating
Bronze Medal
Ignore the pastebin. In fact I'm going to remove both links from the OP now.
#20 at 15:35:03 - 11/07/2014
mal
Flag
Posts:531
Comments:165
Thread Kills:40(8%)
AATG Pts:85
Star Rating
Why? It show(ed) (some of) what they know.

Can you quote the salient claims from the russian forum? I'd like to know what they reckon they can do - that would help inform Hairy on what to tighten up specifically.

Edit: To be clear, removing the links is the right thing to do.
#21 at 15:55:56 - 11/07/2014
dirtbox
Flag
Posts:80
Comments:6
Thread Kills:1(1%)
AATG Pts:30
Star Rating
Bronze Medal
The pastebin was just a list of gmail addresses scraped from the list that was on the other site, the similarity ended there.
#22 at 16:00:05 - 11/07/2014
StixxUK
Flag
Posts:2
Comments:0
Thread Kills:0(0%)
AATG Pts:0
Star Rating
oh dear
#23 at 16:00:48 - 11/07/2014
Mapster
Flag
Posts:859
Comments:72
Thread Kills:14(2%)
AATG Pts:80
Star Rating
Bronze Medal
Hello everybody peeps. Have checked my two accounts here and both use email accounts that are no longer in use/have been deleted. The passwords also are no longer in use so all good. I hope. Hope you're all well!
#24 at 16:34:31 - 11/07/2014
HairyArse
Flag
Posts:6387
Comments:1774
Thread Kills:127(2%)
AATG Pts:350
Star Rating
Gold Medal
I'm saying I caught wind of this ages ago and immediately changed internet hosts, database servers, usernames and passwords and I'm pretty certain I sent an email to all email address in the AATG database advising people to change their passwords.

It's old news, it's just that for whatever reason, some of you guys got wind of it today. But obviously if people have concerns and fears then it would be remiss of me not to address them.
#25 at 17:14:15 - 11/07/2014
dirtbox
Flag
Posts:80
Comments:6
Thread Kills:1(1%)
AATG Pts:30
Star Rating
Bronze Medal
So how come not one person knew anything about it until I stumbled across that thread, which I should add is one of many across many hacker boards.

What usernames and passwords did you change?

I spoke to Shivoa to double check (seeing as he's the guy who wrote the back end for the login) and he hadn't heard anything either.

Who did you tell?

All we could find was one random mention that you were changing hosts.
#26 at 17:17:45 - 11/07/2014
HairyArse
Flag
Posts:6387
Comments:1774
Thread Kills:127(2%)
AATG Pts:350
Star Rating
Gold Medal
I changed usernames and password for site FTP, databases and control panel login.

I didn't mention it on here because I didn't know, and still don't know, the full extent of the problem, and wanted to avoid creating any un-necessary concern. If it's just a list of email addresses, which is all I've ever seen, then it's not as bad as it could be.

Obviously none of it is ideal, and obviously I want to do everything in my power to address the issue. But I can do nothing about what's out there.

I can manually change everyone's passwords and force everyone to change it...

#27 at 17:25:39 - 11/07/2014
HairyArse
Flag
Posts:6387
Comments:1774
Thread Kills:127(2%)
AATG Pts:350
Star Rating
Gold Medal
I didn't speak to Shivoa about it because I didn't think it was right to trouble him about code he wrote 8 years ago and probably has little recollection of.
#28 at 17:29:27 - 11/07/2014
kalel
Flag
Posts:312
Comments:17
Thread Kills:3(1%)
AATG Pts:90
Star Rating
Bronze Medal
We can have an inquisition later, but for now can you just clarify if my password to this site is posted on a Russian forum? And if so, can you tell me what password it is Hairy? I've changed it in the last two years so have no way of knowing, and I can't work out how to see what my password is on the site.
#29 at 17:30:25 - 11/07/2014
dirtbox
Flag
Posts:80
Comments:6
Thread Kills:1(1%)
AATG Pts:30
Star Rating
Bronze Medal
Well.

There is a list of some 2-300 of your users on various low life sites of everyone's account details, the passwords may be hashed and salted, but the encryption can, and has been brute forced by anyone with the patience or knowhow and if only a couple of those people use the same password for their all purpose email then they are boned.

Every single email address on your list of users needs to be told immediately, and I hope you have all your disclaimers and T&Cs in place and legally correct, because if anyone has lost anything, then you're likely liable for damages.
#30 at 17:42:27 - 11/07/2014

home
1 2 Right