Boards.ie Attack - What Happened? Please post all questions here.

Darragh

maryd26 wrote: »

heya,

well done in the quick response. However just wondering as someone else did above-is there anyway to find out what our old passwords were?! I was automatically logged in on my computer so haven't a clue what mine was exactly and I could easily have had the same password for something else... Even where on another computer I just went through a few and would eventually hit on the right one! Yes I know it's silly.... but I have many different accounts... and now don't know which I need to change and would prefer to avoid changing all of them.
Cheers:)

No, I'm afraid not. They were always protected, even I (using an admin account) couldn't see them. Sorry - I know it's a pain!

Darragh

copacetic wrote: »

Absolutely, it's more of a 'we did an excellent job, but what could we have done better' /lessons learned review kind of thing.

(maybe a bit soon for that:o)

Oh no, completely - we're the first people to say - we could have done things better. Definitely. But the point is - we did as good as we could as quick as we could.

Steve

Overheal wrote: »

so were the gards and the people at RTE all secret boardsies? is that why they responded so prudently? :pac:

Of course.. they're part of the mod conspiracy as well - so is the government and the guys that calculate the VRT on cars.. everyone knows that!

@Darragh, whatever recent feelings there were that the community was losing cohesion, you sir have done a stand up job of abating that and I wholeheartedly salute you for all you have done in handling this matter. :cool:

The Muppet

Terry wrote: »

Casey?

Ha Ha , very good.

Conor

copacetic wrote: »

Absolutely, it's more of a 'we did an excellent job, but what could we have done better' /lessons learned review kind of thing.

(maybe a bit soon for that:o)

TBH, part of it was "how can we send ~300,000 e-mails when we have to assume most of our machines are compromised". Then, once we had an idea of what was and wasn't compromised, "what the hell do we use to send 300,000 mails?". We might have shaved an hour or two off it if everything went perfectly to plan, but things rarely go perfectly to plan.

sprinkles

Steve wrote: »

Of course.. they're part of the mod conspiracy as well - so is the government and the guys that calculate the VRT on cars.. everyone knows that!

It was obviously China. First Google. Now Boards. Someone contact Obama.

robinph

maryd26 wrote: »

heya,

well done in the quick response. However just wondering as someone else did above-is there anyway to find out what our old passwords were?! I was automatically logged in on my computer so haven't a clue what mine was exactly and I could easily have had the same password for something else... Even where on another computer I just went through a few and would eventually hit on the right one! Yes I know it's silly.... but I have many different accounts... and now don't know which I need to change and would prefer to avoid changing all of them.
Cheers:)

If your browser has been saving your passwords for various websites to automatically log you in then you can find it out from there.

Hotblack Desiato

The Muppit wrote: »

Originally Posted by Terry
Casey?

Ha Ha , very good.

Laugh all you will, but Casey got me my one and only infraction on boards :eek: so mind what you say!

copacetic

Conor wrote: »

TBH, part of it was "how can we send ~300,000 e-mails when we have to assume most of our machines are compromised". Then, once we had an idea of what was and wasn't compromised, "what the hell do we use to send 300,000 mails?". We might have shaved an hour or two off it if everything went perfectly to plan, but things rarely go perfectly to plan.

Oh yeah, agreed. I'd have ditched the email idea and just changed the home page notice. I'd imagine most boardsies probably got it from there first or via news outlets. Getting it on the six was impressive, especially with the segway into the break. Thats 0.5million viewer or so straight away*. It sounds like a lot of the mails didn't make it anyway with spam filters etc.

Must have been a tough couple of days for you guys, I definitely think that this would have been much tougher a while back. Having the comms guys to deal with PR and information must have made a big difference to let you actually get the work done.

They were bound to come in useful some day!:D

*450,000 of which probably never heard of boards. Personally I'd feel this is will work out well for boards in the end.

Conor

unkel wrote: »

What's with the maybe not stuff?

Your answer is as vague as can be. Speak up lad and show some responsibility!

We know some of the details but not everything. We may never know the full details on how the admin account was compromised.

Working on the assumption that it will happen again, a good chunk of the effort over the last day and a half went into making sure that the risk from a compromised admin account is much lower than it was two days ago.

Morlar

Darragh wrote: »

Oh no, completely - we're the first people to say - we could have done things better. Definitely. But the point is - we did as good as we could as quick as we could.

Could I ask, why have you not announced which foreign country this originated from ? I know the investigations are ongoing but you can be sure the people who did it are aware of where they come from so what is to be gained from witholding this piece of information from everyone else whose information was potentially compromised ?

Jonathan

Conor wrote: »

We know some of the details but not everything. We may never know the full details on how the admin account was compromised.

Working on the assumption that it will happen again, a good chunk of the effort over the last day and a half went into making sure that the risk from a compromised admin account is much lower than it was two days ago.

Are we talking about a server root account or a vBulletin admin account? And if it is the latter, why do they have access to the codebase?

Conor

Morlar wrote: »

Could I ask, why have you not announced which foreign country this originated from ?

It's not fair to point fingers unless we know that the attack actually came from there and wasn't merely bounced through some unwitting third party.

My name is URL

Do you think it was a planned and concise attack to gain personal info or did they just happen to find a vulnerablity that allowed for that while looking for mischief?

Morlar

Conor wrote: »

It's not fair to point fingers unless we know that the attack actually came from there and wasn't merely bounced through some unwitting third party.

Don't take this the wrong way but so what if it has the teeny tiny potential to be marginally/remotely 'unfair to a country'

I am sure the country in question will not crumble to the ground at the revelation.

No one is asking which companies servers or anything - just the country.

partyatmygaff

Conor wrote: »

It's not fair to point fingers unless we know that the attack actually came from there and wasn't merely bounced through some unwitting third party.

Any chance you could tell us whether it was from Europe/America/Australia or Asia/Africa?

Like where did this attack originate from wittingly or not? A western country or an eastern country?

We always need to have something to be guessing

unkel

Conor wrote: »

We know some of the details but not everything. We may never know the full details on how the admin account was compromised.

Working on the assumption that it will happen again, a good chunk of the effort over the last day and a half went into making sure that the risk from a compromised admin account is much lower than it was two days ago.

Thanks for the reply / update, Conor. I and most likely another few hundred thousand other boardsies are most interested in how this happened and how it won't be able to happen again in the future

Conor

Jonathan wrote: »

Are we talking about a server root account or a vBulletin admin account?

vBulletin.

Jonathan wrote: »

And if it is the latter, why do they have access to the codebase?

Explaining this would be going into more detail than I'm willing to do right now. If you have a copy of vBulletin you might be able to figure it out though.

longshanks

yeah congrats and all that, but since its been back up all the writing/text is tiny. whats that all about? the menu at the top is microscopic

carolireland

Thank you for everything guys. The last couple of days must have been a huge amount of work and a right pain.
Anyway many thanks. It is nice to have you back.

mkem

Welcome Back !!!!!!!!

Conor

Morlar wrote: »

Don't take this the wrong way but so what if it has the teeny tiny potential to be marginally/remotely 'unfair to a country'

I am sure the country in question will not crumble to the ground at the revelation.

No one is asking which companies servers or anything - just the country.

It's not about saving embarrassment for them.

partyatmygaff2 wrote: »

Any chance you could tell us whether it was from Europe/America/Australia or Asia/Africa?

Like where did this attack originate from wittingly or not? A western country or an eastern country?

We always need to have something to be guessing

Guess all you like.

Atavan-Halen

Conor wrote: »

Guess all you like.

It was Sealand, I know it! :P

Seriously though guys, excellent work! Was any of the adverts.ie stuff affected, just out of curiosity?

Morlar

Conor wrote: »

It's not about saving embarrassment for them.

If you can't say which country it 100% definitely originated from - why can you not say which country you believe it originated from ?

anniehoo1

God i missed yas!Welcome back. Was strangely proud when i heard boards mentioned on the news

Cant get access to my original email account so had to reregister!I used the same password for that as on here..:( I cant open any mails in my inbox at all.Hopefully its just my laptop acting funny.

Conor

unkel wrote: »

Thanks for the reply / update, Conor. I and most likely another few hundred thousand other boardsies are most interested in how this happened and how it won't be able to happen again in the future

This particular attack is quite unlikely to succeed again. There will be other attacks though (there are hundreds of lame, unsuccessful ones every day) and we're doing our best to prevent them from succeeding and also to minimise the damage caused if they do succeed.

Ultimately though, there are very few absolutes in the computer security game so I can't say "never again".

Master-Geek

• 11:22 – Administrative account compromised
• 11:22 -> 11:34 – Administrative account used to insert malicious code into our software
• 11:34 – User table dumped to public directory and downloaded

Why hasn't their been a technical thread about the more technical specifics? As it all sounds very quick to judge.
Like the proxy the cracker(not hacker, it's an insult) would have used. And was their anti-proxy methods for the admin directory, Was the code injected via vBulletin's template engine, was the DUMP downloaded via phpAdmin, which admin account was SNIFFED, how come htaccess was not in place to ensure optimal security with access to the admin directory of vBulletin?(http://www.boards.ie/vbulletin/admincp/)
I'm taking a guess, but the database must be quite large. And a two minute window for the DUMP and download to occur. So IF the cracker was international (most likely not, probably falsified headers). 2 minutes is a very short time for DUMP and download to be accomplished.

Overheal

Steve wrote: »

@Darragh

NO.

Now I know we all spent the last 2 days learning how to Tweet but Ill be damned if I start seeing it here :cool:

longshanks

Conor wrote: »

Ultimately though, there are very few absolutes so I can't say "never again".

both you and sean connery have that in common apparently. it can only lead to good things

Tigger

whowazzittattukbordsawayiamgannacillldem

cinsearly tig