Go Back   Cockos Incorporated Forums > REAPER Forums > REAPER General Discussion Forum

Reply
 
Thread Tools Display Modes
Old 02-18-2015, 06:30 AM   #1
Ollie
Super Moderator (no feelings)
 
Ollie's Avatar
 
Join Date: Dec 2007
Location: On or near a dike
Posts: 9,834
Default Spam bots trying to guess your password

Over the last weeks spammers have been trying to (automatically) hack user accounts in some forums (including ours) in order to send spam links via PM. One of the many, many attempts appears to have succeeded today.

- They are trying to guess passwords, so you may get an automated message from the forum, informing you that someone tried to log in to your account unsuccessfully. We are checking the forums for "weak" passwords frequently, so I know no member is particularly vulnerable. There's nothing to do or worry about. But a more complex password that's not just a word you could find in a dictionary is immune against these "dictionary attacks".

- If you do get unexpected PMs with strange links, notify me or any other moderator via PM, or use the "Contact us" link at the bottom of the forum home page, with the user name of the PM sender. Of course, do not click the link and do not quote/post it on the forum. Just delete the PM.

Last edited by Ollie; 02-18-2015 at 06:55 AM.
Ollie is offline   Reply With Quote
Old 02-18-2015, 06:33 AM   #2
Dannii
Human being with feelings
 
Dannii's Avatar
 
Join Date: Mar 2010
Location: Adelaide, South Australia (originally from Geelong)
Posts: 5,598
Default

I got a spam PM from a member (who has zero posts and was banned) earlier today and went to the PM and clicked the report button. Is that sufficient to let you guys know all the details you need?

EDIT - The spammer is the same one numerous others received and posted about here... http://forum.cockos.com/showthread.php?t=155812
__________________
Dannii is offline   Reply With Quote
Old 02-18-2015, 06:44 AM   #3
Breeder
Human being with feelings
 
Breeder's Avatar
 
Join Date: Nov 2010
Posts: 2,436
Default

What's up with Cockos forum lately? I've never seen so many bots and attacks on other forums...maybe it's finally time to update vBulletin to more recent version?
Breeder is offline   Reply With Quote
Old 02-18-2015, 06:45 AM   #4
EvilDragon
Human being with feelings
 
EvilDragon's Avatar
 
Join Date: Jun 2009
Location: Croatia
Posts: 24,790
Default

Quote:
Originally Posted by Breeder View Post
maybe it's finally time to update vBulletin to more recent version?
Hear, hear!
EvilDragon is offline   Reply With Quote
Old 02-18-2015, 07:17 AM   #5
Ollie
Super Moderator (no feelings)
 
Ollie's Avatar
 
Join Date: Dec 2007
Location: On or near a dike
Posts: 9,834
Default

Quote:
Originally Posted by Breeder View Post
What's up with Cockos forum lately?I've never seen so many bots and attacks on other forums...
A forum has to be a) interesting for the spammers (high PR) and b) must be included in the URL lists of the known spambot softwares to get so much attention in first place. Other forums you visit may not meet those "requirements", or you spend less time there so you miss the spam before it gets deleted. Anyway, we are not the only forum that gets it pretty hard currently, and I wouldn't blow it out of proportion and call it an "attack", they're just spamming in more desperate ways now.


Quote:
Originally Posted by Breeder View Post
maybe it's finally time to update vBulletin to more recent version?
The bots are trying to hack user accounts via "dictionary attack", not the forum software. A forum software update wouldn't help with that, and it doesn't help with fighting spam in general.
Ollie is offline   Reply With Quote
Old 02-18-2015, 09:24 AM   #6
ivansc
Human being with feelings
 
Join Date: Aug 2007
Location: Near Cambridge UK and Near Questembert, France
Posts: 22,754
Default

Anyone else remember when cowpie lyrics site had their mail list hacked?

I got over 200 self-opening emails containing a variant of the old winklez virus.
That is when I discovered Norton was useless......
ivansc is offline   Reply With Quote
Old 02-18-2015, 09:50 AM   #7
Ollie
Super Moderator (no feelings)
 
Ollie's Avatar
 
Join Date: Dec 2007
Location: On or near a dike
Posts: 9,834
Default

Again, there was no attempt at hacking the forum or the member database, it's just attempts to log into existing accounts by guessing the password. There was no security breach. If you want to be extra safe, use a password as described e.g. here http://wolfram.org/writing/howto/password.html
Ollie is offline   Reply With Quote
Old 02-18-2015, 09:53 AM   #8
Naji
Human being with feelings
 
Join Date: Jun 2013
Posts: 1,646
Default

what is the sense of finding out user´s passwords ?

Is the hacking attack maybe the reason for the new update maybe having a trojan Virus ?
Naji is offline   Reply With Quote
Old 02-18-2015, 09:56 AM   #9
DarkStar
Human being with feelings
 
DarkStar's Avatar
 
Join Date: May 2006
Location: Surrey, UK
Posts: 19,677
Default

^^^^
I like the idea of the first letter of the words in a memorable phrase.

So I'm going to use: Possibly all sociology students will observe red deer.

I do hope that that will be OK.
__________________
DarkStar ... interesting, if true. . . . Inspired by ...
DarkStar is offline   Reply With Quote
Old 02-18-2015, 10:04 AM   #10
4x4uk
Human being with feelings
 
4x4uk's Avatar
 
Join Date: Jan 2013
Location: Newcastle UK
Posts: 474
Default

Quote:
Originally Posted by Naji View Post
what is the sense of finding out user´s passwords ?

Is the hacking attack maybe the reason for the new update maybe having a trojan Virus ?
Oh no not again that damned horse gets everywhere
4x4uk is offline   Reply With Quote
Old 02-18-2015, 10:08 AM   #11
hopi
Human being with feelings
 
hopi's Avatar
 
Join Date: Oct 2008
Location: Right Hear
Posts: 15,618
Default

Thank Ollie... I too got one of those PM's and just deleted it....
__________________
...should be fixed for the next build... http://tinyurl.com/cr7o7yl
https://soundcloud.com/hopikiva
hopi is online now   Reply With Quote
Old 02-18-2015, 11:33 AM   #12
Stringer
Human being with feelings
 
Stringer's Avatar
 
Join Date: May 2006
Location: State of California
Posts: 660
Default

Quote:
Originally Posted by DarkStar View Post
^^^^
I like the idea of the first letter of the words in a memorable phrase.

So I'm going to use: Possibly all sociology students will observe red deer.

I do hope that that will be OK.
Or Purple Aardvarks Stand Silently Wiggling On Real Dirt.

Seriously, you need to avoid any word or phrase in any language that has ever appeared on the internet. I read that a password cracker cracked the password "Ph'nglui mglw'nafh C'thulhu R'lyeh wgah'nagl fhtagn" (a phrase from H.P. Lovecraft's Call of Cthulhu) in seconds because it appears on Lovecraftian websites and got scooped up and added to the dictionary file. You need to have your own personal nonsense words combined with random numbers and symbols.
__________________
One thing led to another and somehow I ended up on Linux.
https://guitarsophist.com/
Stringer is offline   Reply With Quote
Old 02-18-2015, 11:58 AM   #13
timlloyd
Human being with feelings
 
Join Date: Mar 2010
Posts: 4,713
Default

Quote:
Originally Posted by Stringer View Post
You need to have your own personal nonsense words combined with random numbers and symbols.
If you use a password manager, then you only need to remember one of these crazily weird, random and virtually un-rememberable passwords. Any common pattern in your passwords makes them less secure. Get a PM with 2FA and you won't have to worry about this stuff at all anymore
timlloyd is offline   Reply With Quote
Old 02-18-2015, 12:04 PM   #14
karbomusic
Human being with feelings
 
karbomusic's Avatar
 
Join Date: May 2009
Posts: 29,260
Default

Quote:
I like the idea of the first letter of the words in a memorable phrase.
Look up Rainbow table or dictionary attack. With millions upon millions of hacked passwords being released over the last few years, anything containing any phrases or based on phrases becomes suspect. I can't say your idea is especially bad but if it already exists anywhere in any table of previously hacked passwords, it isn't secure any longer.

The best is for it to be long and random and different for every service that is password protected.
__________________
Music is what feelings sound like.
karbomusic is offline   Reply With Quote
Old 02-18-2015, 12:10 PM   #15
Stringer
Human being with feelings
 
Stringer's Avatar
 
Join Date: May 2006
Location: State of California
Posts: 660
Default

Quote:
Originally Posted by karbomusic View Post
Look up Rainbow table or dictionary attack. With millions upon millions of hacked passwords being released over the last few years, anything containing any phrases or based on phrases becomes suspect. I can't say your idea is especially bad but if it already exists anywhere in any table of previously hacked passwords, it isn't secure any longer.

The best is for it to be long and random and different for every service that is password protected.
You missed the joke. His phrase (and mine) spell out "password." But you r advice is good.
__________________
One thing led to another and somehow I ended up on Linux.
https://guitarsophist.com/
Stringer is offline   Reply With Quote
Old 02-18-2015, 02:12 PM   #16
karbomusic
Human being with feelings
 
karbomusic's Avatar
 
Join Date: May 2009
Posts: 29,260
Default

Quote:
Originally Posted by Stringer View Post
You missed the joke. His phrase (and mine) spell out "password." But you r advice is good.
Ruh oh, you are right. I was all "security serious" and missed it. LOL!
__________________
Music is what feelings sound like.
karbomusic is offline   Reply With Quote
Old 02-18-2015, 02:23 PM   #17
magicchord
Human being with feelings
 
magicchord's Avatar
 
Join Date: May 2006
Location: L.A. Cahleefornia
Posts: 305
Default

I got a spam PM as well. I'd already deleted it so I can't tell you who it was from. Sorry.
magicchord is offline   Reply With Quote
Old 02-18-2015, 03:48 PM   #18
metal_priest
Human being with feelings
 
metal_priest's Avatar
 
Join Date: May 2011
Location: Padova
Posts: 1,626
Default

me too this morning, i reported it with the exclamation mark symbol and deleted it...i don't remember the nickname, sorry
metal_priest is offline   Reply With Quote
Old 02-18-2015, 04:26 PM   #19
ginormous
Human being with feelings
 
ginormous's Avatar
 
Join Date: Jan 2012
Location: Central US
Posts: 467
Default

Quote:
Originally Posted by ReaDave View Post
I got a spam PM from a member (who has zero posts and was banned) earlier today and went to the PM and clicked the report button. Is that sufficient to let you guys know all the details you need?

EDIT - The spammer is the same one numerous others received and posted about here... http://forum.cockos.com/showthread.php?t=155812
That's the one I got. Report and delete.

For God's sake (or whatever spins your propeller), DON"T CLICK ON ANY LINKS! Computer 101, right? I had to hose down the desktop after my wife played one of those infernal Facebook games, and she clicked on a link to the "game website".
ginormous is offline   Reply With Quote
Old 02-18-2015, 04:53 PM   #20
Jeffsounds
Human being with feelings
 
Jeffsounds's Avatar
 
Join Date: Feb 2013
Location: Northeast Michigan
Posts: 3,460
Default

I got one yesterday. But I was notified of the PM via email and when I read it I knew it was junk and when I logged into Reaper I just deleted it without looking at it.

I remember who it was from though. Dark Star!

KIDDING!!!!!!!

It may still be in my email so I'll look next time I check in.

EDIT: Yep. Same one The Whistler got from the same name.
__________________
"TV has become nothing more than a Petri dish where this country grows its idiots." -Dr. John Becker
My First CD On Spotify - Side O' The Highway
Jeffsounds is online now   Reply With Quote
Old 02-18-2015, 06:00 PM   #21
ponk
Human being with feelings
 
ponk's Avatar
 
Join Date: Dec 2013
Location: Boston
Posts: 548
Default

ponk is offline   Reply With Quote
Old 02-18-2015, 11:33 PM   #22
technogremlin
Human being with feelings
 
technogremlin's Avatar
 
Join Date: Mar 2008
Location: Netherlands
Posts: 2,629
Default

Quote:
Originally Posted by Stringer View Post
You need to have your own personal nonsense words combined with random numbers and symbols.
Just dream up some very strange sentence and use that. Something like:
Quote:
aggressivetreeseatbroccoli
It is also very easy to remember (for you) because it is strange. I use the same 'passphrase' (obviously not 'this' one) for decades now and it never got hacked, and I'm pretty active on the webs (also for decades)

The only problem is that there are still (a lot of) websites and forums that don't allow passphrases, sometimes just six or eight character passwords. Which is pretty stupid coding-wise as any good system should only store the MD5 hash, instead of the actual password, and a hash is the same length no matter what you throw at it.

Quote:
Originally Posted by Ollie View Post
We are checking the forums for "weak" passwords frequently, so I know no member is particularly vulnerable.
Does this mean the forum passwords are stored as clear text

Or do you do a dictionary attack yourself just to test
technogremlin is offline   Reply With Quote
Old 02-19-2015, 07:43 PM   #23
Mr. Data
Human being with feelings
 
Mr. Data's Avatar
 
Join Date: Sep 2008
Location: Location
Posts: 5,559
Default

Shouldn't we all have the password '12345' or, if at least eight characters are demanded, '12345678'?

I personally find '12121212' extremely compelling.



-Data
__________________
German Language Pack for REAPER? Get it here! ... Donate? Yeah!! | Are you nuts? | Maybe
Deutsche Sprachdatei für REAPER? Hier zu haben! ... Spenden? Klar! | Spinnst wohl!? | Vielleicht
Mr. Data is offline   Reply With Quote
Old 02-19-2015, 10:36 PM   #24
EpicSounds
Human being with feelings
 
EpicSounds's Avatar
 
Join Date: Jul 2009
Posts: 7,570
Default

Quote:
Originally Posted by Naji View Post
what is the sense of finding out user´s passwords ?
because people are lazy and many use the same passwords for multiple sites. If it matches their email login then they can get a lot of information.
__________________
REAPER Video Tutorials, Tips & Tricks and more at The REAPER Blog
EpicSounds is online now   Reply With Quote
Old 02-20-2015, 03:39 AM   #25
rvman
Human being with feelings
 
rvman's Avatar
 
Join Date: Mar 2014
Location: Texas, USA
Posts: 525
Default

Yep,I've got a message in my inbox now.
__________________
×××××××××××××××××××××××××××××××××××××××××××××××××× ××××××××××
Reaper, Reason 8, Studio One Artist, EZ Drummer 2, and not enough time.
rvman is offline   Reply With Quote
Old 02-20-2015, 04:19 AM   #26
Ollie
Super Moderator (no feelings)
 
Ollie's Avatar
 
Join Date: Dec 2007
Location: On or near a dike
Posts: 9,834
Default

Quote:
Originally Posted by technogremlin View Post
Does this mean the forum passwords are stored as clear text
No. vBulletin has a function to check this. Passwords can't be read, retrieved or accessed in any way.
Ollie is offline   Reply With Quote
Old 02-20-2015, 04:34 AM   #27
KevinW
Human being with feelings
 
KevinW's Avatar
 
Join Date: Sep 2009
Location: Dayton, Ohio USA
Posts: 1,714
Default

Quote:
Originally Posted by Ollie View Post
No. vBulletin has a function to check this. Passwords can't be read, retrieved or accessed in any way.
I posted in the other related thread where you said you routinely look for weak passwords and hadn't found any for a long time. Up until Wednesday night, I had a VERY weak password, so I'm not sure if the vbulletin function is terribly reliable.
KevinW is offline   Reply With Quote
Old 02-20-2015, 06:25 AM   #28
balamouk69
Human being with feelings
 
Join Date: Dec 2013
Posts: 41
Default

I also got a PM from an unrecognized sender prior to reading your post. I just deleted it- If I get another I'll let you know the sender
balamouk69 is offline   Reply With Quote
Old 02-20-2015, 07:23 AM   #29
Ollie
Super Moderator (no feelings)
 
Ollie's Avatar
 
Join Date: Dec 2007
Location: On or near a dike
Posts: 9,834
Default

Quote:
Originally Posted by KevinW View Post
I posted in the other related thread where you said you routinely look for weak passwords and hadn't found any for a long time. Up until Wednesday night, I had a VERY weak password, so I'm not sure if the vbulletin function is terribly reliable.
Yeah it's at best rudimentary. So if you're using "password" as a password and get your account hijacked, you will feel the wrath of your fellow forum members and lose your account. Don't do that.
Ollie is offline   Reply With Quote
Old 02-23-2015, 03:03 PM   #30
Thoraldus
Human being with feelings
 
Thoraldus's Avatar
 
Join Date: Feb 2015
Location: Rocky Mountains
Posts: 2
Default

This is my approach ...

1. Use a password manager. I use LastPass
2. Do not use the same password twice. i.e. use a different password for every site
3. Use strong passwords like 's6i#tyG9srwaVl$Q' for sites like this.
4. Use stronger passwords like 'wrC^I$yM3uIrOEBp0LLiXpn3ippANJEd' for financial sites
5. Change your passwords for important sites at least 4 times a year.
6. Use LastPass 'Security Challenge' once a month to check if your email addresses have been compromised and the status of any compromised sites you frequent.

So far so good! ;-)

By the way, I must confess that I'm not quite in compliance with item #2. I still have quite a number of low level sites all using the same password. I'm working at getting that number to zero.
Thoraldus is offline   Reply With Quote
Old 02-23-2015, 06:10 PM   #31
Quasar
Human being with feelings
 
Join Date: Feb 2007
Posts: 966
Default

Quote:
Originally Posted by magicchord View Post
I got a spam PM as well. I'd already deleted it so I can't tell you who it was from. Sorry.
Same here. There was a link to how to make a million dollars in 5 minutes working from home or whatever, and I just immediately deleted it.

I have created a more robust password, though, after reading this.
Quasar is offline   Reply With Quote
Old 02-26-2015, 03:38 AM   #32
Mivo
Human being with feelings
 
Mivo's Avatar
 
Join Date: Jan 2014
Location: Europe
Posts: 153
Default

Quote:
Originally Posted by Ollie View Post
Again, there was no attempt at hacking the forum or the member database, it's just attempts to log into existing accounts by guessing the password.
Which is why this thread shouldn't have "hack" in the subject. Just gives the wrong idea of what's going on. "Spam bots trying to guess passwords" may be less fear inducing.
Mivo is offline   Reply With Quote
Old 02-26-2015, 04:27 AM   #33
Ollie
Super Moderator (no feelings)
 
Ollie's Avatar
 
Join Date: Dec 2007
Location: On or near a dike
Posts: 9,834
Default

Good point, thanks.
Ollie is offline   Reply With Quote
Old 02-26-2015, 07:09 AM   #34
Thoraldus
Human being with feelings
 
Thoraldus's Avatar
 
Join Date: Feb 2015
Location: Rocky Mountains
Posts: 2
Default

Quote:
Originally Posted by Mivo View Post
Which is why this thread shouldn't have "hack" in the subject. Just gives the wrong idea of what's going on. "Spam bots trying to guess passwords" may be less fear inducing.
Attempting to exploit weaknesses in a computer system, like weak passwords, is by definition hacking these days. The definition of hacker has changed over the years. It used to be a positive thing.
Thoraldus is offline   Reply With Quote
Old 02-27-2015, 12:23 PM   #35
Quest The Wordsmith
Human being with feelings
 
Quest The Wordsmith's Avatar
 
Join Date: May 2011
Location: Shaolin => NJ
Posts: 1,213
Default

Last Pass. I can't live without it.
__________________
freestylefam.com
Quest The Wordsmith is offline   Reply With Quote
Old 03-08-2015, 11:42 PM   #36
Dannii
Human being with feelings
 
Dannii's Avatar
 
Join Date: Mar 2010
Location: Adelaide, South Australia (originally from Geelong)
Posts: 5,598
Default

Quote:
Originally Posted by Quest The Wordsmith View Post
Last Pass. I can't live without it.
Big +1.
__________________
Dannii is offline   Reply With Quote
Old 02-27-2016, 08:25 AM   #37
FriedaCalor
Human being with feelings
 
Join Date: Feb 2016
Posts: 19
Default

LastPass got hacked. I would never rely on a password manager. Talk about a high profile target.

If it's a site that really matters I use a random combination of upper case, lower case, numbers and symbols. They are all stored on encrypted USB sticks that also have a sequence that is unbreakable by a dictionary crack. I only have to remember that password. I back up the USB stick every time I make a change to another encrypted USB device.

You don't want them residing on your computer and you don't want them in the cloud, which has proved vulnerable.

Make them as long as the site will allow. Apple ID, for example, allows 25 characters. Use 25.

Just because you're paranoid doesn't mean they aren't watching you. We pretty much know for a fact they are.
FriedaCalor is offline   Reply With Quote
Old 04-01-2016, 01:20 PM   #38
Evan
Human being with feelings
 
Join Date: Oct 2006
Location: Greece
Posts: 3,553
Default

There is also KeePass, which is an application that works locally (i.e. not on the cloud). It is open source.

I currently use LastPass because it seems solid in Chrome and Firefox. But I need an excuse to move over to KeePass and find reliable browser add-ons.

LastPass keeps data encrypted in the cloud. As long as the (your) master password is complex enough, it (the data) should be pretty safe from any 3rd party.
Evan is offline   Reply With Quote
Old 04-01-2016, 02:09 PM   #39
jerome_oneil
Human being with feelings
 
jerome_oneil's Avatar
 
Join Date: Apr 2010
Location: Seattle
Posts: 5,635
Default



Generally, requiring goofy characters in a password, and adding other restrictions on what it has to have and what it can't have actually make it easier for computers to brute force.

Common words you can remember, strung together, are the best option. You can remember them, so you're not writing them down somewhere, they provide enough data to make it hard for computers to break, and they won't be found in any pregenerated rainbow tables.
jerome_oneil is offline   Reply With Quote
Old 04-02-2016, 09:50 AM   #40
Dannii
Human being with feelings
 
Dannii's Avatar
 
Join Date: Mar 2010
Location: Adelaide, South Australia (originally from Geelong)
Posts: 5,598
Default

Interesting info Jerome. I've always used the former combinations of random characters and symbols but what you've posted makes sense.
__________________
Dannii is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -7. The time now is 12:22 PM.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.