Elliquiy unsafe?

Started by persephone325, April 09, 2014, 05:53:06 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

persephone325

I'm not talking about the people on the site. I recently saw something on the news that the secure server that is used to store passwords for websites (specifically ones with the little lock icon in the url bar before the address like E, Facebook, Tumblr, banking sites) has been targeted by hackers that can send a fake "heartbeat" and steal all your information.

I was wondering if E has protective measures against this, and if we should change our passwords or anything.
This doesn't have to end in a fight, Buck.
It always ends in a fight.
You pulled me from the river. Why?
I don't know.
"Don't dwell on those who hold you down. Instead, cherish those who helped you up."

Beguile's Mistress

I just saw this story on the news. 

persephone325

Since staff can see our IP addresses, I was wondering if any account were to be hacked in this way (or another way) would there be a change in IP address if there was a post made with the hacked account?

Also, I'd still like to know if E is in danger of this. (Not to sound rude. I just didn't want my first question overlooked because I asked another.)
This doesn't have to end in a fight, Buck.
It always ends in a fight.
You pulled me from the river. Why?
I don't know.
"Don't dwell on those who hold you down. Instead, cherish those who helped you up."

Beguile's Mistress

The hackers wouldn't hack our E accounts.  They hack servers that are sending pings back to our computers and then use that link to steal information from our computers about accounts we have with banks, vendors and the like.

persephone325

In essence, they would have access to our passwords if they hacked the E server. Not sure why anyone would want to hack E, but even so...
This doesn't have to end in a fight, Buck.
It always ends in a fight.
You pulled me from the river. Why?
I don't know.
"Don't dwell on those who hold you down. Instead, cherish those who helped you up."

Oniya

Well, Mojang recommended that people change their passwords on their Minecraft/Mojang accounts.  I had to update my launcher as well (thankfully it actually works at the 1.5 level on the dinosaur, or the little Oni would have been terribly disappointed that we couldn't play together.)
"Language was invented for one reason, boys - to woo women.~*~*~Don't think it's all been done before
And in that endeavor, laziness will not do." ~*~*~*~*~*~*~*~*~*~*~Don't think we're never gonna win this war
Robin Williams-Dead Poets Society ~*~*~*~*~*~*~*~*~*~*~*~*~*~Don't think your world's gonna fall apart
I do have a cause, though.  It's obscenity.  I'm for it.  - Tom Lehrer~*~All you need is your beautiful heart
O/O's Updated 5/11/21 - A/A's - Current Status! - Writing a novel - all draws for Fool of Fire up!
Requests updated March 17

Oreo

Hmmmm, I wonder if it even steals your password to access your passwords?

She led me to safety in a forest of green, and showed my stale eyes some sights never seen.
She spins magic and moonlight in her meadows and streams, and seeks deep inside me,
and touches my dreams. - Harry Chapin

Vekseid

Quote from: persephone325 on April 09, 2014, 05:53:06 PM
I'm not talking about the people on the site. I recently saw something on the news that the secure server that is used to store passwords for websites (specifically ones with the little lock icon in the url bar before the address like E, Facebook, Tumblr, banking sites) has been targeted by hackers that can send a fake "heartbeat" and steal all your information.

I was wondering if E has protective measures against this, and if we should change our passwords or anything.

I patched it Tuesday morning (Yesterday). I still need to regenerate certificates, but my servers are no longer vulnerable to this.

There are rumors that attacks with the same sort of fingerprint began in November, but apparently other legitimate software can also cause the same sort of fingerprint. I'd recommend changing your passwords, but begin with the most important things and use a checker tool to make sure the site in question is actually patched -

- http://filippo.io/Heartbleed/#elliquiy.com
- http://possible.lv/tools/hb/?domain=elliquiy.com

Elliquiy was not vulnerable prior to the server move in August.

Vekseid

Quote from: Oreo on April 09, 2014, 08:52:50 PM
Hmmmm, I wonder if it even steals your password to access your passwords?

The bug allows you to view a random 64 kilobyte string of loaded memory.

Even if resttricted to the webserver user, it would still see POST requests for the duration, so it's possible, however unlikely, that someone saw your password in plaintext.


Beguile's Mistress

Companies have been putting in the patch for a while now.  Not everyone has so follow Veks' advice and double check you change your password.

Cassandra Cavenaugh

Quote from: Vekseid on April 09, 2014, 09:26:40 PM
I patched it Tuesday morning (Yesterday). I still need to regenerate certificates, but my servers are no longer vulnerable to this.

There are rumors that attacks with the same sort of fingerprint began in November, but apparently other legitimate software can also cause the same sort of fingerprint. I'd recommend changing your passwords, but begin with the most important things and use a checker tool to make sure the site in question is actually patched -

- http://filippo.io/Heartbleed/#elliquiy.com
- http://possible.lv/tools/hb/?domain=elliquiy.com

Elliquiy was not vulnerable prior to the server move in August.

As someone who works in the infosec industry, you patched faster than most. Many Internets to you for being proactive.
<3 Cassandra
[tr][td]
[/td]
[td]On/Offs (Updated: 8/23/22) | Elluiki (Updated: 4/21/20) | Absences/Apologies | RP Requests[/td]
[td][/td]
[/tr]
[/table]

Valthazar

Just set up one-time passwords to be sent to your cell phone each time you log in to your online bank, email, or MMO.  Not fool-proof, but that will give you some extra peace of mind.

stormwyrm

#12
For those of you who are still confused about the nature of the issue, this should help:

http://xkcd.com/1354/

In short, it's rather serious, and one really ought to consider changing one's passwords especially for important sites, but only after they have confirmed they've fixed the issue on their systems. Here's a list of the popular services whose passwords might want to consider changing:

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
If there is such a phenomenon as absolute evil, it consists in treating another human being as a thing.
O/OA/A, Requests

Valthazar

Thanks for the overview, that helps me to understand it a lot better.

inghippo

Just my opinion but heartbleed bug is about openssl fo https.
So, https exist to cript data from client to server (when you type you password in login and post to server "yourpassword" became "saddwdaw8w878927323hcdhch" and only the server can understand/reverse this crypt).
This thing is usefull if you are connected to a open wifi or someone is in your network and could sniff to what you send from the client, in this way even if the "man in the middle" sniff some data they are crypted and only the server can translate them.

so, my advice is to check always you connection to internet, set a secure password for your wifi/modem.
never use internet explorer, google chrome, firefox, safari opera are better.
never install toolbars in browser, they normally get a lot of data from what you do on internet and slow down you pc/mac.
check your browser is updated (some browser autoupdate by themself so no need to worry).
get a good firewall/antivirus like avast and keep updated (avoid things like norton or macafee they will screw your file system).
keep your os updated (if your os cannot be updated try to get one that can be kept up to date).

another good thing to do is to use strong password, never use family, friends,pet name or birthday or anithing that can easily get by your or your friends facebook account.

Try thinking about something you normally don't write online or even better random.
Uppercase,lowercase,number and symbol can make a strong password.

BabaMama980 is a good password
inghippo84 is not



stormwyrm

If anyone needs advice on choosing new passwords, I think this is the best advice out there: http://xkcd.com/936/

Another XKCD, yes. A password made out of four randomly selected common words gives 44 bits of entropy, which will require an attacker attempting to brute force it to make 17 trillion guesses on average to get it right, if he assumed that you were using the scheme. I assume that Vekseid would soon enough notice that someone was trying to do such nonsense on E and try to stop them, no? It may not be as much help if an offline attack became possible, say if E's authentication database were compromised and an attacker got hold of the encrypted password list for all our accounts, but increasing the number of words makes it harder, and at seven words it becomes essentially infeasible even for intelligence agencies.

I use a similar scheme myself, but for a password vault application, which also is able to generate completely random 25 character passwords for every site and service I use. This is just about 175 bits of entropy, essentially impossible to crack. I don't have to remember them all, just remember the master password for the vault. There's a version of the vault program for Android, so I can use my phone to store my passwords in the same way.
If there is such a phenomenon as absolute evil, it consists in treating another human being as a thing.
O/OA/A, Requests

Kythia

I use the same password for everything.  "Password" ("Password1" if it requires a number).  Hackers will be expecting something difficult.  And, plus, if anything of mine does get hacked it ain't a problem because they'll already have crossed "Password" off their list of words to try, so all my other stuff will be safe.
242037

gaggedLouise

#17
Quote from: Kythia on April 16, 2014, 01:12:44 AM
I use the same password for everything.  "Password" ("Password1" if it requires a number).  Hackers will be expecting something difficult.  And, plus, if anything of mine does get hacked it ain't a problem because they'll already have crossed "Password" off their list of words to try, so all my other stuff will be safe.

*worried look* Kythia, please show your good sense - that does not sound healthy. Hackers and password fishers often use robotic programmes to make thousands of attempts on an unknown password, in quick succession. I don't use ultra complicated wordings myself, but picking a word, or a name (preferably one that doesn't have any real connection to you personally) and adding an arbitrary two-figure number, perhaps two arbitary letters as well, is sort of proactive scurity.

You must be kidding to be saying you really use "password/number/" as a password, right? Stuff like "password", "facebook", "America", "myhome" and so on are *coughs* a no-no-no.  8-)

I'll reuse the same password for several sites too, but not for all sites.

Good girl but bad  -- Proud sister of the amazing, blackberry-sweet Violet Girl

Sometimes bound and cuntrolled, sometimes free and easy 

"I'm a pretty good cook, I'm sitting on my groceries.
Come up to my kitchen, I'll show you my best recipes"

Oreo

I have to agree. 'Password' is the 4th most commonly used password out there. One of the easiest ways to remember a password is to anagram a sentence. Like: My Favorite Site Is E/ MfsiE!14

That is not my password, just an example.

She led me to safety in a forest of green, and showed my stale eyes some sights never seen.
She spins magic and moonlight in her meadows and streams, and seeks deep inside me,
and touches my dreams. - Harry Chapin

inghippo

If you don't have time to think every time new password or you feel like you'll forget a compelx password you can try this:

http://www.passwordcard.org/en

is a card password generetor, with the card you can define a lot of password.

If you prefer an old fashioned way the best way to keep a password it's to write on paper so:

http://hellocuteness.com/2013/01/free-printable-whats-my-login-password-tracker/
http://www.organizinghomelife.com/archives/5678

hope this will help to keep you password safe and up to date. :)


Oreo

I keep mine written down on a 4x6 card just in case something happens to me and my family needs to advise someone of the circumstances. Like tell Amazon to discontinue my Prime.

*cough* I also keep the card because I can't remember my passwords.

She led me to safety in a forest of green, and showed my stale eyes some sights never seen.
She spins magic and moonlight in her meadows and streams, and seeks deep inside me,
and touches my dreams. - Harry Chapin

inghippo

Quotein case something happens to me and my family needs to advise someone of the circumstances. Like tell Amazon to discontinue my Prime.

In case something will happens to me or my family I've to feed a lot of cats so Amazon will be my last priority! xD

Oreo

Quote from: inghippo on April 16, 2014, 03:53:17 AM
In case something will happens to me or my family I've to feed a lot of cats so Amazon will be my last priority! xD
All the cats will be hubby's problem, and we have a lot of cats. XD

She led me to safety in a forest of green, and showed my stale eyes some sights never seen.
She spins magic and moonlight in her meadows and streams, and seeks deep inside me,
and touches my dreams. - Harry Chapin

inghippo

Lucky you! My cats probably call me "mom" in their mind...weird...  ;D

stormwyrm

Quote from: Kythia on April 16, 2014, 01:12:44 AM
I use the same password for everything.  "Password" ("Password1" if it requires a number).  Hackers will be expecting something difficult.  And, plus, if anything of mine does get hacked it ain't a problem because they'll already have crossed "Password" off their list of words to try, so all my other stuff will be safe.

I do hope you're kidding, Kythia. That isn't how hackers and their tools operate, as I've seen them used against systems I have responsibility for, and have used them myself to ensure that they don't work against systems I work to defend. A password cracking tool basically has a dictionary of common passwords, and then it tries those first. There is no question of expectations: the tools they use are programmed to go after the low-hanging fruit first, which includes accounts with passwords like that. And they do this again and again for all the sites they target, and in the times they do get a password from a database, the first thing they'll do is try those same credentials on other sites.
If there is such a phenomenon as absolute evil, it consists in treating another human being as a thing.
O/OA/A, Requests