Goto Chockstone Home

  Guide
  Gallery
  Tech Tips
  Articles
  Reviews
  Dictionary
  Links
  Forum
  Search
  About

      Sponsored By
      ROCK
   HARDWARE

  Shop
Chockstone Photography
Australian Landscape Photography by Michael Boniwell
Australian Landscape Prints





Chockstone Forum - Chockstone Feedback

Provide Feedback About This Website

 Page 1 of 2. Messages 1 to 20 | 21 to 36
Author
ummm hacked???

Sabu
13-Dec-2006
8:02:59 AM
Chockstone "Hacked by Karabasan (translated)"

WTF????!?!?

Mike i sincerely hope that you are able to fix this and wish you luck! im also concerned for the linked page to Rock Hardware and their online purchasing security in light of this.

This is a sad day...

Mike
13-Dec-2006
9:27:21 AM
Shit! Some kind of SQL injection attack I assume. Can anyone remember what all the forum's were called and their descriptions? Has anything else been effected?

nmonteith
13-Dec-2006
9:31:50 AM
Everything else looks fine.

Accidents and Injurys
Safer Cliffs Victoria

nmonteith
13-Dec-2006
9:45:13 AM
Safer Cliffs Victoria
Report Unsafe Bolts (not bolting)
dalai
13-Dec-2006
9:56:30 AM
Looks back to normal. Thanks Mike!!

Mike
13-Dec-2006
10:21:20 AM
Only question is how did the little bugger achieve it? There's 8000 lines of code in the forum. I've checked each place where database updates are made and haven't spoted any holes, but obviously it's there somewhere.

Any SQL Injection experts out there want to try some responisble hacking and let me know where the problem is?

Sabu
13-Dec-2006
9:48:39 PM
nice work, i wasn't sure on wat other damage was incured and the amount of work u'd hav to do to repair it! bit of a shock to log on and see that !!

not sure of how he got in but i hav heard of it happening before on other forums

Rupert
16-Dec-2006
7:13:44 AM
Hacked again :(

Mike
16-Dec-2006
9:38:42 AM
Yeah, that's twice now dammit. I'd love to know how it's being done.
Onsight
18-Dec-2006
10:21:46 AM
That must be damn annoying Mike. Good work.

Did the hacking also cause the site to be down yesterday?

Mike
18-Dec-2006
11:53:57 AM
On 18/12/2006 Onsight wrote:
>Did the hacking also cause the site to be down yesterday?

Someone else came into the office over the weekend and decide the breech was enough of a concern to shut it all down while certain checks were being made.

gordoste
18-Dec-2006
1:28:44 PM
whoever it was also changed this forum's name to "Chockstone Feebback"

Breezy
18-Dec-2006
1:33:01 PM
and the link to the 'links' page is broken
rolsen
18-Dec-2006
4:48:26 PM
Mike how do you store our passwords? Are they encrypted and if so what method do you use? Just wondering for those who may use the same passwords over multiple sites, given that someone may have had access to email addresses and passwords.

Richard

PS. Thanks for all your hard work in getting and keeping chockstone running.

Rupert
18-Dec-2006
5:26:38 PM
Mike there is an error when clicking the upload to server link in the upload images FAQ. I guess this is just one of the potential access points where that moron got in.
PensionerPower
18-Dec-2006
11:49:17 PM
On 18/12/2006 rolsen wrote:
>Mike how do you store our passwords? Are they encrypted and if so what
>method do you use? Just wondering for those who may use the same passwords
>over multiple sites, given that someone may have had access to email addresses
>and passwords.

Passwords should never be "encrypted" (using that word in its technical sense). They should always be "salted and hashed". Identical passwords will normally have different "salted and hashed" values - even on a single site.
rolsen
19-Dec-2006
9:13:01 AM
On 18/12/2006 PensionerPower wrote:
>On 18/12/2006 rolsen wrote:
>>Mike how do you store our passwords? Are they encrypted and if so what
>>method do you use? Just wondering for those who may use the same passwords
>>over multiple sites, given that someone may have had access to email
>addresses
>>and passwords.
>
>Passwords should never be "encrypted" (using that word in its technical
>sense). They should always be "salted and hashed". Identical passwords
>will normally have different "salted and hashed" values - even on a single
>site.

Good one. I'm not an expert on this stuff (as I guess you were trying to point out) but I've heard a little about rainbow tables and what not and know a site compromise is a bad thing. If a hacker can update a table surely a select aint that hard?

I was just asking nicely if the passwords were stored in plain text, if so the hacker could have everyones passwords and email addresses. If people use the same passwords at other sites then this could pose a big problem (of course you know this).

Richard
PensionerPower
19-Dec-2006
8:18:02 PM
On 19/12/2006 rolsen wrote:
>On 18/12/2006 PensionerPower wrote:
>>On 18/12/2006 rolsen wrote:
>>>Mike how do you store our passwords? Are they encrypted and if so what
>>>method do you use? Just wondering for those who may use the same passwords
>>>over multiple sites, given that someone may have had access to email
>> >addresses and passwords.
>>
>>Passwords should never be "encrypted" (using that word in its technical
>>sense). They should always be "salted and hashed". Identical passwords
>>will normally have different "salted and hashed" values - even on a single
>>site.
>
>Good one. I'm not an expert on this stuff (as I guess you were trying
>to point out) but I've heard a little about rainbow tables and what not
>and know a site compromise is a bad thing. If a hacker can update a table
>surely a select aint that hard?
>
>I was just asking nicely if the passwords were stored in plain text, if
>so the hacker could have everyones passwords and email addresses. If people
>use the same passwords at other sites then this could pose a big problem
>(of course you know this).

I wasn't trying to have a go at you. I was just saying that the question: "are the passwords encrypted", is not the right question. Indeed, if the forum admin replied "yes", that would be bad - not good!

Hopefully the forum admins will understand that passwords should be salted & hashed - not encrypted. But if they don't understand that, then, my reply will hopefully cause them to google those terms for more information.

gremlin
20-Dec-2006
9:09:18 AM
Actually both methods are correct. See these URL's:
http://au2.php.net/manual/en/function.md5.php
http://au2.php.net/manual/en/function.crypt.php

While this site is done in ASP i suspect it has two similar functions.
Stored 'passwords' should either be a hash of some type, or be using one way encryption.
When you login, your 'password' is hashed or encrypted and compared to the database.
The hash method is more popular as it is easier/faster to write from a developers point of view.

Sorry, i'll put the geek back in his cage...

Mike
20-Dec-2006
11:48:05 AM
Haven't got time to look into this just now. But if someone can dig up some VB script code for ASP that will do this that would be handy. I'll get onto it after the hols.
___

What you want is called a hash, which is basically an operation you perform on some data that produces a completely different set of (seemingly) random data. It is easy to generate a hash from some data, but not feasible to get the data back from the hash. Two very similar sets of source data should produce two very different sets of hashed data. Identical source data will produce an identical hash though, so what unix used to do was create a random two letter 'salt' and prefix the password with that, and then prefix the saved hashed data with it, eg to encrypt the password the first time:

Salt=SS (random two letter data)
Password=PPPPPPPP (users password)
Hash=HHHHHHHH (hashed password)
Stored hash = SSHHHHHHHH (salt + hashed password)

Then when the user wants to log in, you get the salt from the stored hash, prefix it to the users password, calculate the hash, and see if it matches the stored hash (without the salt)

Easy to do under .NET where all the crypto functions are accessible. You'll probably need to find a 3rd party class to do it under asp...

 Page 1 of 2. Messages 1 to 20 | 21 to 36
There are 36 messages in this topic.

 

Home | Guide | Gallery | Tech Tips | Articles | Reviews | Dictionary | Forum | Links | About | Search
Chockstone Photography | Landscape Photography Australia | Australian Landscape Photography | Landscape Photos Australia

Please read the full disclaimer before using any information contained on these pages.



Australian Panoramic | Australian Coast | Australian Mountains | Australian Countryside | Australian Waterfalls | Australian Lakes | Australian Cities | Australian Macro | Australian Wildlife
Landscape Photo | Landscape Photography | Landscape Photography Australia | Fine Art Photography | Wilderness Photography | Nature Photo | Australian Landscape Photo | Stock Photography Australia | Landscape Photos | Panoramic Photos | Panoramic Photography Australia | Australian Landscape Photography | High Country Mountain Huts | Mothers Day Gifts | Gifts for Mothers Day | Mothers Day Gift Ideas | Ideas for Mothers Day | Wedding Gift Ideas | Christmas Gift Ideas | Fathers Day Gifts | Gifts for Fathers Day | Fathers Day Gift Ideas | Ideas for Fathers Day | Landscape Prints | Landscape Poster | Limited Edition Prints | Panoramic Photo | Buy Posters | Poster Prints