Twoplustwo emails/passwords hacked. Site down

[Dan Druff]

Another problem with simply choosing a strong e-mail password is that "password recovery" systems tend to be rather weak.

For example, you might have a great password like h48nu43@8;ng, but that's not very useful if it's too easy to guess your recovery questions. These questions tend to be things like, "Where did you go to elementary school?" and "What color was your first car?" If the hacker gets both of these right (and obviously these would be very easy to research and/or social engineer), he gets to reset your password to something of his choosing.

In general, once your e-mail address is known to hackers, and if you think you might be a high-value target (such as a high-limit poker player, or a known figure in the poker community), your best play is to both change the e-mail address associated with important accounts AND clean out your saved e-mail on that account to where it doesn't contain anything personal and/or important.

[WillieMcFML]

If 2+2 had an in-house vbulletin expert, this conversation would be moot.

[Dan Druff]

On my old radio show, I remember we prank called an ISP, and when the tech started asking questions to identify my account there (I didn't actually have one), I made up an e-mail address that I supposedly had on their system.

When he couldn't find that address and said that he was going to hang up on me because he couldn't identify my account, I shouted, "Wait! The make of my first bike was a Huffy. My first car was a Chevy! My high school mascot was a bear! My first grade teacher was Mrs. Jones. Am I getting any of these right?"

A lot of the listeners laughed because they could relate. So many of these password recovery questions are so lame, and yet they often allow people to gain access to change your password.

[NoahSD]

Shouldn't it be up to the individual user whether he wants to use multiple e-mails? Your blog didn't mention that suggestion at all. I felt was a huge omission, which is why I wrote that post commenting on the whole thing in the first place.

Of course. There are lots of things I omitted, and that's obviously just a judgement call that I made. Basically, I'm a crypto nerd who's paranoid about coming off as a standard paranoid crypto nerd. I try not to tell people to do too much stuff that will sound like overkill to them because I don't want to be the boy who cried wolf.

I've always felt that the standard recommendation to use distinct unconnected e-mail addresses--each with its own unique password--for every important account you have falls into the category of "stuff that will sound like overkill." And, I think that when I say stuff like that in the same blog post as something incredibly important like "Change all your passwords that were identical to your 2p2 password", I risk people rolling their eyes at the really important stuff.

To my knowledge, nearly all of the online poker account hackings have been by way of keylogging, phishing, and server-side e-mail hacking, NOT brute-force attacks on passwords.

We're talking about a situation in which a hacker is brute-forcing passwords as we speak. That's why I'm talking about that.

You say that hackers can brute force passwords by gaining access to the server and going after the hashed passwords. Yes, that can be done, but I have news for you. If someone has the ability to gain access to the server of an e-mail provider, they probably already have the ability to change people's passwords without brute-forcing anything. So, again, a strong password wouldn't help anything in such a case.

Your news is quite oversimplified.

Rather than get all techy on you, I'll simply point out that this is exactly a situation in which a hacker appears to have had the ability to get passwords but also appears to have not changed anything. That happens really often. I don't actually know of an example of someone gaining access to a server and changing a password.

This isn't to say that I am suggesting people to choose weak passwords, but a pet peeve of mine has been people using one e-mail for everything -- including their poker accounts with hundreds of thousands of dollars -- and then being surprised when they get hacked. I think that simply encouraging people to choose good passwords gives them a false sense of security, when in reality the smartest thing to do (at least with a lot of money in a poker account) is to use different e-mails for at least those big accounts.

I'm not saying to use 20 different e-mails, but rather to identify the few accounts you REALLY never want hacked (especially if you're a high limit player), and use different e-mails for those.

BTW, I edited the post you were complaining about.

Yeah. We just disagree about how to appropriately balance our advice.

Frankly, I think that you're biased because you don't really seem to understand the password situation, so you're more interested in solving a problem that you understand. I'm probably biased as well because I like crypto, so I like crypto problems with crypto solutions.

[NoahSD]

On my old radio show, I remember we prank called an ISP, and when the tech started asking questions to identify my account there (I didn't actually have one), I made up an e-mail address that I supposedly had on their system.

When he couldn't find that address and said that he was going to hang up on me because he couldn't identify my account, I shouted, "Wait! The make of my first bike was a Huffy. My first car was a Chevy! My high school mascot was a bear! My first grade teacher was Mrs. Jones. Am I getting any of these right?"

A lot of the listeners laughed because they could relate. So many of these password recovery questions are so lame, and yet they often allow people to gain access to change your password.

The easy solution to this is to simply not use the password recovery questions, or to lie. Most of my answers to password recovery questions are themselves unique passwords.

That's pretty standard advice, actually, but it's unfortunate that people still use password recovery options that are so terrible. I believe that gmail now pushes recovery by phone on people, which is nice.

[NoahSD]

what a terrible post.

The Two Plus Two Forums have been hacked, and the forums have been taken down by the admins to prevent further damage. The hacker has gained access to a list of usernames, e-mails, hashed passwords, and password salts. While hashed passwords and plaintext passwords aren’t quite the same thing, the combination of the hashed password together with the salt makes it possible for the hacker to find plaintext passwords. (This is preventable, but vBulletin’s default hashing algorithm is md5, which is completely insecure against this sort of thing–and other things.)

Why would anyone bother with a dictionary attack when they can simply modify the POST/GET destination calls within the page source to shuffle off the plaintext entry into a flatfile someplace?

Do you have some forensic evidence actually indicating the crypted passwords were attacked? Occams razor isnt pointing anywhere near that, is why I ask.

Example: did the actors access accounts that had not been logged into since the initial intrusion? If so, then yes it appears they managed to brute force passwords of course. It not, then its unlikely they would climb up a rain pipe to pick an upstairs windows lock when the front door is wide open.

We know for sure that he/she/they brute forced passwords because he posted plaintext passwords of some of the mods in the mod forum to prove that he did it.

Again, though, that's really not atypical at all. See my response to DD two posts up. I mean... if the only thing that you'd told me yesterday would've been that 2p2's security had been compromised, I think my first (compound) question would've been "Were passwords compromised, and how were passwords hashed?" (My next question probably would've been whether e-mail addresses were compromised, FWIW.)

[NoahSD]

One thing that has been in my head but I am going to throw this out to Druff and to you Noah to bring up to your technical gurus. Why can't we implement secure HTTP browsing or HTTPS with high level encription that is used for online purchases, banking, etc.?

To expand more on what I do, I work more on the systems engineering side on not on the development side. I am trying to bring up processes and procedures in that area.

Encryption (e.g. SSL) is a solution to a different problem. That's the solution to the problem "What if somebody's listening in?"

The default password complexity requirements in a Windows Active Directory environment is eight characters minimum, 22 maximum, the password has to have 1 capital letter and 1 number, what my company did through group policy is to add another requirement which is a manditory symbol. Both my PFA and DD passwords do not meet those requirements and apparently they should.

Password complexity notions like this are really oversimplified. Just as a silly and obvious example, the password "ugagtz" is much less likely to be brute forced than the password "Happiness1"

They're still probably better than nothing because it's really hard to figure out how strong a password is, but they don't really prevent people from using weak passwords if they want to.

(They also sort of rub me the wrong way because forcing people to not be lazy seems a bit unfair. Sometimes, I want a weak password because I don't care.)



Edit: Sorry for rapid-fire posting.

[Dan Druff]

Of course. There are lots of things I omitted, and that's obviously just a judgement call that I made. Basically, I'm a crypto nerd who's paranoid about coming off as a standard paranoid crypto nerd. I try not to tell people to do too much stuff that will sound like overkill to them because I don't want to be the boy who cried wolf.

I've always felt that the standard recommendation to use distinct unconnected e-mail addresses--each with its own unique password--for every important account you have falls into the category of "stuff that will sound like overkill." And, I think that when I say stuff like that in the same blog post as something incredibly important like "Change all your passwords that were identical to your 2p2 password", I risk people rolling their eyes at the really important stuff.

To my knowledge, nearly all of the online poker account hackings have been by way of keylogging, phishing, and server-side e-mail hacking, NOT brute-force attacks on passwords.

We're talking about a situation in which a hacker is brute-forcing passwords as we speak. That's why I'm talking about that.

You say that hackers can brute force passwords by gaining access to the server and going after the hashed passwords. Yes, that can be done, but I have news for you. If someone has the ability to gain access to the server of an e-mail provider, they probably already have the ability to change people's passwords without brute-forcing anything. So, again, a strong password wouldn't help anything in such a case.

Your news is quite oversimplified.

Rather than get all techy on you, I'll simply point out that this is exactly a situation in which a hacker appears to have had the ability to get passwords but also appears to have not changed anything. That happens really often. I don't actually know of an example of someone gaining access to a server and changing a password.

This isn't to say that I am suggesting people to choose weak passwords, but a pet peeve of mine has been people using one e-mail for everything -- including their poker accounts with hundreds of thousands of dollars -- and then being surprised when they get hacked. I think that simply encouraging people to choose good passwords gives them a false sense of security, when in reality the smartest thing to do (at least with a lot of money in a poker account) is to use different e-mails for at least those big accounts.

I'm not saying to use 20 different e-mails, but rather to identify the few accounts you REALLY never want hacked (especially if you're a high limit player), and use different e-mails for those.

BTW, I edited the post you were complaining about.

Yeah. We just disagree about how to appropriately balance our advice.

Frankly, I think that you're biased because you don't really seem to understand the password situation, so you're more interested in solving a problem that you understand. I'm probably biased as well because I like crypto, so I like crypto problems with crypto solutions.

This is why it's getting really tough to discuss anything with you, because you can't seem to resist talking down to people.

I can assure you that I understand this entire situation, but I am interested in suggesting the most effective measures at preventing the hackers from compromising poker accounts. That's a lot more important to me than showing off knowledge of cryptography.

The bottom line is that your basic advice of "change your e-mail password to something secure" only solves a small percentage of the potential problems, especially if the hackers are only interested in going after a small number of "high value" e-mail accounts (such as high limit players or 2p2 mods).

Now, I'm fine if you disagree with me about this, but I'd appreciate if you could express it without being condescending.

I saw this same condescension from you (towards other people) in the thread on 2+2 about the private safety deposit box break-in.

[BUBBLES]

Encryption (e.g. SSL) is a solution to a different problem. That's the solution to the problem "What if somebody's listening in?"

The default password complexity requirements in a Windows Active Directory environment is eight characters minimum, 22 maximum, the password has to have 1 capital letter and 1 number, what my company did through group policy is to add another requirement which is a manditory symbol. Both my PFA and DD passwords do not meet those requirements and apparently they should.

Password complexity notions like this are really oversimplified. Just as a silly and obvious example, the password "ugagtz" is much less likely to be brute forced than the password "Happiness1"

They're still probably better than nothing because it's really hard to figure out how strong a password is, but they don't really prevent people from using weak passwords if they want to.

(They also sort of rub me the wrong way because forcing people to not be lazy seems a bit unfair. Sometimes, I want a weak password because I don't care.)



Edit: Sorry for rapid-fire posting.

[chinamaniac]

I believe that gmail now pushes recovery by phone on people, which is nice.

Isn't it pretty easy to spoof a phone number

[PLOL]

I believe that gmail now pushes recovery by phone on people, which is nice.

Isn't it pretty easy to spoof a phone number

Easy going the other way. It's easy to call/text somebody pretending to somebody else's #. But it's not easy/(possible?) to have it spoofed where you're receiving somebody else's calls/texts.

[chinamaniac]

Isn't it pretty easy to spoof a phone number

Easy going the other way. It's easy to call/text somebody pretending to somebody else's #. But it's not easy/(possible?) to have it spoofed where you're receiving somebody else's calls/texts.

ya I didn't think of it that way

:brainfart

[408Mike]

We know for sure that he/she/they brute forced passwords because he posted plaintext passwords of some of the mods in the mod forum to prove that he did it.

PLOL, I think he's saying they are onto you...

[408Mike]

Isn't it pretty easy to spoof a phone number

Easy going the other way. It's easy to call/text somebody pretending to somebody else's #. But it's not easy/(possible?) to have it spoofed where you're receiving somebody else's calls/texts.

It's damned hard and complicated but could be done.

More likely what someone would think of as spoofing in this situation would really be some kind of wiretapping/text interception.

And who the fuck cares really, if you put sensitve and important data in any electronic medium not fully encrypted and under your eye 24/7, I mean you are just sitting waiting to get fucked.

I say keep it simple- be poor as fuck and have enough alcohol around to keep that pesky IQ south of triple digits and no one will really fuck with you.

In translation (for the nerd joining us for the next week or two tops mostly) there's nothing wrong with being rich, it's broadcasting this fact that's criminaly stupid. So, being poor is clearly ideal. Secondly very wealthy people have a few things in common, aside from making sure people know they're worth coin of course, and that is that they are almost always pretty damn smart.

The sickening part though, and saavy thieves know this btw, is that the human ego is a real bitch sometimes. Most smart people love thinking smug thoughts and feeling smarter than the mouth breather next to them. Just take 10 minutes and scout around these forums and quickly you can get a feel for whose obviously the cream of the crop. From there dig through their posts and very easily you know the top 5% finanically speaking of most of these interent forums. From there, just aim and fire essentially.

Theives like to get into the heads of people they jack. i broke into cars as a teenager, my buddy and I hit malls mostly. I wanted to be unseen in the back but he would always want to hit cars right near the entrance because "they can't help themselves, when people get rich most become lazy slobs, used to being catered to hand and foot. This makes em lazy and wreckless." We found much loot back in those days hitting nice cars real close to the entrance. Same class of cars as the rich people parking in the way back but much dirtier inside and often cell phones wallets and cash just littered around the cabin (and FOOD, food everywhere.)

Same dude broke into houses for years (I never would) and he told me "Look for houses with lots of shoes outside the front door. Asians usually have money and amost always leave shoes outside" and that sort of thing. He loved trying to outsmart the people he hated so much.

My point is just that scumbags look for telltale signs of their prey, thus if you take your security seriously, you should keep that in mind. Ask yourself first and foremost what are you doing to make yourself less of a target, what could you be doing better and from there nuts and bolts security. I might be wrong, but that approach seems much more logical than everyone running amuck with the who's and how's and "quick quick! change your passwords guys!!" amongst hardly audible whispers of "i bet he did this" and "see if only they had done that, this wouldn't have happened"

Psh get real, changing a password on a site like 4 changes almost nothing security wise in 2012. If anything a smart hacker would set some heavy duty packet sniffers aimed at 2+2's server right now and sit and wait for the scramble. It would literally be hashes falling from the sky, and who knows how much damage might happen at that point.

[Deal]

File this under who fucking cares. Anybody that wants access to my 2+2 account can have it. I'm sure 99% of their 350000 account holders think the same way. I do hope whoever hacked it logged into a few mods accounts and starts posting their PM's on other sites. That could be entertainment gold as they take that shit so seriously.

[Steve-O]

File this under who fucking cares. Anybody that wants access to my 2+2 account can have it. I'm sure 99% of their 350000 account holders think the same way. I do hope whoever hacked it logged into a few mods accounts and starts posting their PM's on other sites. That could be entertainment gold as they take that shit so seriously.

If this thread is any indication, I can only imagine what Noah says PRIVATELY about people. I can only imagine the discussions in the mod forum and through PM's. Could be really bad if there is talk like "so and so is a sponsor please take that thread down" etc.

[Mad Dad]

It is illegal to attempt to hack systems in most jurisdictions. I wonder if the owners of 4 will make a complaint to authorities?

Of course this might bring the activities of 4 under heightened scrutiny and potentially put those owners at risk if anything illegal is going on. I wonder even if someone is a mod of a site that is engaged in activity that can be proved in court to be illegal such as money laundering or sports betting, if the mod is somehow risking prosecution? I wonder if even a simple user has an account on a site that is engaged in proven illegal activity and it can be shown that the user knows about the illegal activity due to records kept of browsing of threads, if the user is risking prosecution.

Just as everything can be hacked or broken into, in our society everyone is engaged in activity that can be found illegal even if only not coming to a full stop at a stop sign.

[Steve-O]

It is illegal to attempt to hack systems in most jurisdictions. I wonder if the owners of 4 will make a complaint to authorities?

Of course this might bring the activities of 4 under heightened scrutiny and potentially put those owners at risk if anything illegal is going on. I wonder even if someone is a mod of a site that is engaged in activity that can be proved in court to be illegal such as money laundering or sports betting, if the mod is somehow risking prosecution? I wonder if even a simple user has an account on a site that is engaged in proven illegal activity and it can be shown that the user knows about the illegal activity due to records kept of browsing of threads, if the user is risking prosecution.

Just as everything can be hacked or broken into, in our society everyone is engaged in activity that can be found illegal even if only not coming to a full stop at a stop sign.

Did you just re-read Orwell or something

[son of lockman]

You'd think such a large site would have better security...

[Deal]

You'd think such a large site would have better security...

Why? Security is expensive and should be used to protect assets worth something. The security on Seals should be better than the security on 2+2 forums because clients of Seals allegedly have real money at stake. My posts on 2+2 are worthless so I care nothing about security there and I am unwilling to use a secure password there or an associated email address that I ever login to.

Having said that I'm sure there are a few mods that would buy an RSA token to secure their 2+2 password. It would be a huge inconvenience for them to repost their 13000+ posts even though I'm sure they have them saved on their thumbdrives just in case of an emergency like today. What if something comes up in conversation (IM) where they need to look up something that they posted a few years ago in order to prove someone else wrong on the internet.