You are either not logged in or not registered with our community. Click here to register.
 
December 08, 2016, 08:31:17 AM

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length

Click here if you are having problems.
Default Wide Screen Beige Lilac Rainbow Black & Blue October Send us your theme!

Hark!  The Herald!
Holiday Issue 2016

Wiki Blogs Dicebot

Author Topic: Elliquiy unsafe?  (Read 1489 times)

0 Members and 1 Guest are viewing this topic.

Offline persephone325Topic starter

  • E's Resident Bucky Barnes/Winter Soldier Addict | Howling's Dagger | Resident Wiccan | Proud Echelon | Winter Widow | Mab's Sister, separated at birth | Princess Persephone, if you prefer
  • Dame
  • Addict
  • *
  • Join Date: Jul 2012
  • Location: Romania...Russia...Siberia
  • Gender: Female
  • Ready to comply...
  • My Role Play Preferences
  • View My Rolls
  • Referrals: 1
Elliquiy unsafe?
« on: April 09, 2014, 05:53:06 PM »
I'm not talking about the people on the site. I recently saw something on the news that the secure server that is used to store passwords for websites (specifically ones with the little lock icon in the url bar before the address like E, Facebook, Tumblr, banking sites) has been targeted by hackers that can send a fake "heartbeat" and steal all your information.

I was wondering if E has protective measures against this, and if we should change our passwords or anything.

Offline Beguile's Mistress

  • Time flies like an arrow ~ Fruit flies like a banana ~ Elliquiy's Fair-E Godmother
  • Dame
  • Carnite
  • *
  • Join Date: Jul 2009
  • Location: Faeleacanvald ~ The Steeler Nation ~ Home of Lord Stanley's Cup 2016 ~ She won't stay throwed! ~ 48\22-5\1\11-5\7
  • Gender: Female
  • Perpetual Notion Machine ~ 'What if...?'
  • My Role Play Preferences
  • View My Rolls
  • Referrals: 3
Re: Elliquiy unsafe?
« Reply #1 on: April 09, 2014, 05:58:11 PM »
I just saw this story on the news. 

Offline persephone325Topic starter

  • E's Resident Bucky Barnes/Winter Soldier Addict | Howling's Dagger | Resident Wiccan | Proud Echelon | Winter Widow | Mab's Sister, separated at birth | Princess Persephone, if you prefer
  • Dame
  • Addict
  • *
  • Join Date: Jul 2012
  • Location: Romania...Russia...Siberia
  • Gender: Female
  • Ready to comply...
  • My Role Play Preferences
  • View My Rolls
  • Referrals: 1
Re: Elliquiy unsafe?
« Reply #2 on: April 09, 2014, 06:14:30 PM »
Since staff can see our IP addresses, I was wondering if any account were to be hacked in this way (or another way) would there be a change in IP address if there was a post made with the hacked account?

Also, I'd still like to know if E is in danger of this. (Not to sound rude. I just didn't want my first question overlooked because I asked another.)

Offline Beguile's Mistress

  • Time flies like an arrow ~ Fruit flies like a banana ~ Elliquiy's Fair-E Godmother
  • Dame
  • Carnite
  • *
  • Join Date: Jul 2009
  • Location: Faeleacanvald ~ The Steeler Nation ~ Home of Lord Stanley's Cup 2016 ~ She won't stay throwed! ~ 48\22-5\1\11-5\7
  • Gender: Female
  • Perpetual Notion Machine ~ 'What if...?'
  • My Role Play Preferences
  • View My Rolls
  • Referrals: 3
Re: Elliquiy unsafe?
« Reply #3 on: April 09, 2014, 06:47:20 PM »
The hackers wouldn't hack our E accounts.  They hack servers that are sending pings back to our computers and then use that link to steal information from our computers about accounts we have with banks, vendors and the like.

Offline persephone325Topic starter

  • E's Resident Bucky Barnes/Winter Soldier Addict | Howling's Dagger | Resident Wiccan | Proud Echelon | Winter Widow | Mab's Sister, separated at birth | Princess Persephone, if you prefer
  • Dame
  • Addict
  • *
  • Join Date: Jul 2012
  • Location: Romania...Russia...Siberia
  • Gender: Female
  • Ready to comply...
  • My Role Play Preferences
  • View My Rolls
  • Referrals: 1
Re: Elliquiy unsafe?
« Reply #4 on: April 09, 2014, 06:49:46 PM »
In essence, they would have access to our passwords if they hacked the E server. Not sure why anyone would want to hack E, but even so...

Offline Oniya

  • StoreHouse of Useless Trivia
  • Oracle
  • Carnite
  • *
  • Join Date: Sep 2008
  • Location: Just bouncing through. Hi! City of Roses, Pennsylvania
  • Gender: Female
  • One bad Motokifuka. Also cute and FLUFFY!
  • My Role Play Preferences
  • View My Rolls
  • Referrals: 3
Re: Elliquiy unsafe?
« Reply #5 on: April 09, 2014, 07:00:07 PM »
Well, Mojang recommended that people change their passwords on their Minecraft/Mojang accounts.  I had to update my launcher as well (thankfully it actually works at the 1.5 level on the dinosaur, or the little Oni would have been terribly disappointed that we couldn't play together.)

Offline Oreo

Re: Elliquiy unsafe?
« Reply #6 on: April 09, 2014, 08:52:50 PM »
Hmmmm, I wonder if it even steals your password to access your passwords?

Offline Vekseid

Re: Elliquiy unsafe?
« Reply #7 on: April 09, 2014, 09:26:40 PM »
I'm not talking about the people on the site. I recently saw something on the news that the secure server that is used to store passwords for websites (specifically ones with the little lock icon in the url bar before the address like E, Facebook, Tumblr, banking sites) has been targeted by hackers that can send a fake "heartbeat" and steal all your information.

I was wondering if E has protective measures against this, and if we should change our passwords or anything.

I patched it Tuesday morning (Yesterday). I still need to regenerate certificates, but my servers are no longer vulnerable to this.

There are rumors that attacks with the same sort of fingerprint began in November, but apparently other legitimate software can also cause the same sort of fingerprint. I'd recommend changing your passwords, but begin with the most important things and use a checker tool to make sure the site in question is actually patched -

- http://filippo.io/Heartbleed/#elliquiy.com
- http://possible.lv/tools/hb/?domain=elliquiy.com

Elliquiy was not vulnerable prior to the server move in August.

Offline Vekseid

Re: Elliquiy unsafe?
« Reply #8 on: April 09, 2014, 09:33:19 PM »
Hmmmm, I wonder if it even steals your password to access your passwords?

The bug allows you to view a random 64 kilobyte string of loaded memory.

Even if resttricted to the webserver user, it would still see POST requests for the duration, so it's possible, however unlikely, that someone saw your password in plaintext.


Offline Beguile's Mistress

  • Time flies like an arrow ~ Fruit flies like a banana ~ Elliquiy's Fair-E Godmother
  • Dame
  • Carnite
  • *
  • Join Date: Jul 2009
  • Location: Faeleacanvald ~ The Steeler Nation ~ Home of Lord Stanley's Cup 2016 ~ She won't stay throwed! ~ 48\22-5\1\11-5\7
  • Gender: Female
  • Perpetual Notion Machine ~ 'What if...?'
  • My Role Play Preferences
  • View My Rolls
  • Referrals: 3
Re: Elliquiy unsafe?
« Reply #9 on: April 09, 2014, 09:53:32 PM »
Companies have been putting in the patch for a while now.  Not everyone has so follow Veks' advice and double check you change your password.

Offline Cassandra Cavenaugh

Re: Elliquiy unsafe?
« Reply #10 on: April 09, 2014, 10:15:35 PM »
I patched it Tuesday morning (Yesterday). I still need to regenerate certificates, but my servers are no longer vulnerable to this.

There are rumors that attacks with the same sort of fingerprint began in November, but apparently other legitimate software can also cause the same sort of fingerprint. I'd recommend changing your passwords, but begin with the most important things and use a checker tool to make sure the site in question is actually patched -

- http://filippo.io/Heartbleed/#elliquiy.com
- http://possible.lv/tools/hb/?domain=elliquiy.com

Elliquiy was not vulnerable prior to the server move in August.

As someone who works in the infosec industry, you patched faster than most. Many Internets to you for being proactive.

Offline Valthazar

  • Writer ͏͏● Educator ● Gamer ● Roleplayer ● Debater ● Tech Connoisseur ● Gym Rat ● Procrastinator ● As they say, "A simple PM may lead to lifelong friendship" ▬▬▬▬
  • Suspended
  • Seducer
  • *
  • Join Date: Mar 2013
  • Location: United States
  • Gender: Male
  • Proceed and be bold. Embrace your insecurities.
  • My Role Play Preferences
  • View My Rolls
  • Referrals: 0
Re: Elliquiy unsafe?
« Reply #11 on: April 12, 2014, 10:17:37 PM »
Just set up one-time passwords to be sent to your cell phone each time you log in to your online bank, email, or MMO.  Not fool-proof, but that will give you some extra peace of mind.

Offline stormwyrm

Re: Elliquiy unsafe?
« Reply #12 on: April 12, 2014, 10:39:05 PM »
For those of you who are still confused about the nature of the issue, this should help:

http://xkcd.com/1354/

In short, it's rather serious, and one really ought to consider changing one's passwords especially for important sites, but only after they have confirmed they've fixed the issue on their systems. Here's a list of the popular services whose passwords might want to consider changing:

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
« Last Edit: April 12, 2014, 10:42:30 PM by stormwyrm »

Offline Valthazar

  • Writer ͏͏● Educator ● Gamer ● Roleplayer ● Debater ● Tech Connoisseur ● Gym Rat ● Procrastinator ● As they say, "A simple PM may lead to lifelong friendship" ▬▬▬▬
  • Suspended
  • Seducer
  • *
  • Join Date: Mar 2013
  • Location: United States
  • Gender: Male
  • Proceed and be bold. Embrace your insecurities.
  • My Role Play Preferences
  • View My Rolls
  • Referrals: 0
Re: Elliquiy unsafe?
« Reply #13 on: April 12, 2014, 10:53:32 PM »
Thanks for the overview, that helps me to understand it a lot better.

Offline inghippo

Re: Elliquiy unsafe?
« Reply #14 on: April 15, 2014, 09:53:04 AM »
Just my opinion but heartbleed bug is about openssl fo https.
So, https exist to cript data from client to server (when you type you password in login and post to server "yourpassword" became "saddwdaw8w878927323hcdhch" and only the server can understand/reverse this crypt).
This thing is usefull if you are connected to a open wifi or someone is in your network and could sniff to what you send from the client, in this way even if the "man in the middle" sniff some data they are crypted and only the server can translate them.

so, my advice is to check always you connection to internet, set a secure password for your wifi/modem.
never use internet explorer, google chrome, firefox, safari opera are better.
never install toolbars in browser, they normally get a lot of data from what you do on internet and slow down you pc/mac.
check your browser is updated (some browser autoupdate by themself so no need to worry).
get a good firewall/antivirus like avast and keep updated (avoid things like norton or macafee they will screw your file system).
keep your os updated (if your os cannot be updated try to get one that can be kept up to date).

another good thing to do is to use strong password, never use family, friends,pet name or birthday or anithing that can easily get by your or your friends facebook account.

Try thinking about something you normally don't write online or even better random.
Uppercase,lowercase,number and symbol can make a strong password.

BabaMama980 is a good password
inghippo84 is not



Offline stormwyrm

Re: Elliquiy unsafe?
« Reply #15 on: April 15, 2014, 09:28:00 PM »
If anyone needs advice on choosing new passwords, I think this is the best advice out there: http://xkcd.com/936/

Another XKCD, yes. A password made out of four randomly selected common words gives 44 bits of entropy, which will require an attacker attempting to brute force it to make 17 trillion guesses on average to get it right, if he assumed that you were using the scheme. I assume that Vekseid would soon enough notice that someone was trying to do such nonsense on E and try to stop them, no? It may not be as much help if an offline attack became possible, say if E's authentication database were compromised and an attacker got hold of the encrypted password list for all our accounts, but increasing the number of words makes it harder, and at seven words it becomes essentially infeasible even for intelligence agencies.

I use a similar scheme myself, but for a password vault application, which also is able to generate completely random 25 character passwords for every site and service I use. This is just about 175 bits of entropy, essentially impossible to crack. I don't have to remember them all, just remember the master password for the vault. There's a version of the vault program for Android, so I can use my phone to store my passwords in the same way.

Offline Kythia

  • Noooo-one Fights like Kythia no-one bites like Kythia
  • Dame
  • Enchanter
  • *
  • Join Date: Oct 2012
  • Gender: Female
  • No one chain smokes Marlboro lights like Kythia
  • My Role Play Preferences
  • View My Rolls
  • Referrals: 1
Re: Elliquiy unsafe?
« Reply #16 on: April 16, 2014, 01:12:44 AM »
I use the same password for everything.  "Password" ("Password1" if it requires a number).  Hackers will be expecting something difficult.  And, plus, if anything of mine does get hacked it ain't a problem because they'll already have crossed "Password" off their list of words to try, so all my other stuff will be safe.

Offline gaggedLouise

  • Quim Queen | Collaborative juicy writer
  • Champion
  • Enchanter
  • *
  • Join Date: Jan 2011
  • Location: Scandinavia
  • Gender: Female
  • Bound, gagged and unarmed but still dangerous.
  • My Role Play Preferences
  • View My Rolls
  • Referrals: 0
Re: Elliquiy unsafe?
« Reply #17 on: April 16, 2014, 01:52:54 AM »
I use the same password for everything.  "Password" ("Password1" if it requires a number).  Hackers will be expecting something difficult.  And, plus, if anything of mine does get hacked it ain't a problem because they'll already have crossed "Password" off their list of words to try, so all my other stuff will be safe.

*worried look* Kythia, please show your good sense - that does not sound healthy. Hackers and password fishers often use robotic programmes to make thousands of attempts on an unknown password, in quick succession. I don't use ultra complicated wordings myself, but picking a word, or a name (preferably one that doesn't have any real connection to you personally) and adding an arbitrary two-figure number, perhaps two arbitary letters as well, is sort of proactive scurity.

You must be kidding to be saying you really use "password/number/" as a password, right? Stuff like "password", "facebook", "America", "myhome" and so on are *coughs* a no-no-no.  8-)

I'll reuse the same password for several sites too, but not for all sites.
« Last Edit: April 16, 2014, 01:57:49 AM by gaggedLouise »

Offline Oreo

Re: Elliquiy unsafe?
« Reply #18 on: April 16, 2014, 02:14:45 AM »
I have to agree. 'Password' is the 4th most commonly used password out there. One of the easiest ways to remember a password is to anagram a sentence. Like: My Favorite Site Is E/ MfsiE!14

That is not my password, just an example.

Offline inghippo

Re: Elliquiy unsafe?
« Reply #19 on: April 16, 2014, 03:33:17 AM »
If you don't have time to think every time new password or you feel like you'll forget a compelx password you can try this:

http://www.passwordcard.org/en

is a card password generetor, with the card you can define a lot of password.

If you prefer an old fashioned way the best way to keep a password it's to write on paper so:

http://hellocuteness.com/2013/01/free-printable-whats-my-login-password-tracker/
http://www.organizinghomelife.com/archives/5678

hope this will help to keep you password safe and up to date. :)


Offline Oreo

Re: Elliquiy unsafe?
« Reply #20 on: April 16, 2014, 03:38:21 AM »
I keep mine written down on a 4x6 card just in case something happens to me and my family needs to advise someone of the circumstances. Like tell Amazon to discontinue my Prime.

*cough* I also keep the card because I can't remember my passwords.

Offline inghippo

Re: Elliquiy unsafe?
« Reply #21 on: April 16, 2014, 03:53:17 AM »
Quote
in case something happens to me and my family needs to advise someone of the circumstances. Like tell Amazon to discontinue my Prime.

In case something will happens to me or my family I've to feed a lot of cats so Amazon will be my last priority! xD

Offline Oreo

Re: Elliquiy unsafe?
« Reply #22 on: April 16, 2014, 04:01:00 AM »
In case something will happens to me or my family I've to feed a lot of cats so Amazon will be my last priority! xD
All the cats will be hubby's problem, and we have a lot of cats. XD

Offline inghippo

Re: Elliquiy unsafe?
« Reply #23 on: April 16, 2014, 04:28:47 AM »
Lucky you! My cats probably call me "mom" in their mind...weird...  ;D

Offline stormwyrm

Re: Elliquiy unsafe?
« Reply #24 on: April 16, 2014, 09:55:04 PM »
I use the same password for everything.  "Password" ("Password1" if it requires a number).  Hackers will be expecting something difficult.  And, plus, if anything of mine does get hacked it ain't a problem because they'll already have crossed "Password" off their list of words to try, so all my other stuff will be safe.

I do hope you're kidding, Kythia. That isn't how hackers and their tools operate, as I've seen them used against systems I have responsibility for, and have used them myself to ensure that they don't work against systems I work to defend. A password cracking tool basically has a dictionary of common passwords, and then it tries those first. There is no question of expectations: the tools they use are programmed to go after the low-hanging fruit first, which includes accounts with passwords like that. And they do this again and again for all the sites they target, and in the times they do get a password from a database, the first thing they'll do is try those same credentials on other sites.