If You Use The Same Password on Billiards Digest & AZB...

sfleinen

14.1 & One Pocket Addict
Gold Member
Silver Member
Better change it as a precaution...

All the User passwords for BD
http://forums.azbilliards.com/showthread.php?t=305258

It might take time for someone to decrypt them, but it's out there forever now.

If you use a common p/w across many forums....:eek:

Agreed. That "pastebin" website is well-known to us in the information security circles, and if your "stuff" shows up there, you're in deep kimchi (security posture-wise).

To be sure, that "dump" you see on the pastebin website are NOT passwords; they are password hashes. "Hashes" are technically one-way "destructive" encryption -- meaning, they're "not supposed" to be able to be "decrypted" backwards. The way hashes are used, is that your password is "destructively encrypted" into a hash, and that hash is stored in a database. Then, when you login to that site, the password you type into the "Password:" field is destructively encrypted (hashed) once again, and that hash is compared to the hash stored in the database. If the hashes match, you typed the correct/same password as that which created the original hash, and you're authenticated.

The problem with "one-way, destructive encryption" is that the hash is ALWAYS of a finite, fixed length. Meaning, if your password is longer than the hash itself, information is "lost" (truncated) and your hash has the possibility of matching another completely different password.

Another problem with hashes is the algorithm used to create them. The two most common, MD5 and SHA-1, are increasingly getting nibbled away at by ever more powerful computers. MD5 is just about there -- fully cracked. SHA-1 is a little more secure, but it's getting nibbled away at, too.

So a farm of commodity PCs (e.g. running Linux in a parallel computing environment) can take that list of MD5 hashes from the Billiards Digest site, and begin what's called a "brute force" attack on that list of hashes -- MD5'ing basically every word in the dictionary, with digits, upper and lowercasing every letter, substituting numbers for vowels, mixing punctuation in amongst the letters, etc. -- and comparing the resulting hash with each hash in the Billiards Digest list. Got a match? Record the "password" used to generate that matching hash along with the username.

And they *WILL* crack most of them. It's just a matter of time.

I scanned briefly through that list, and there are a bunch of AZB'er screennames in that list I recognize.

So if you have a Billiards Digest account that uses the same screenname, it behooves you to not only change your Billiards Digest password, but also your AZB password if it's the same.

Do it now, while you're reading this!

Signed, your friendly neighborhood information security professional,
-Sean
 

MahnaMahna

Beefcake. BEEFCAKE!!
Silver Member
And to also chime in on pastebin and the affect....

An industry organization I belong to was hacked by anonymous a year or 2 back and everyone's name, contact info, email, hashed passwords, etc was posted on pastebin. I heard hackers were able to take over one organization's entire email network through this info, and I still receive email spam, and occasional spam calls/texts.
 

"CaliRed".

High Def Videos!!!
Silver Member
Just to let you guys know, this is no joke. There are many programs and websites that are have databases that compare hash's to passwords. It's as easy as pasting in that hash you see in pastebin, into a website and it looks thru it's database to see if it's in there already. If it's not, it can easily be cracked in no time.

I won't give out any links but I just tried one for someone that hangs out in NPR alot and has a ton of posts and his password is in the database and I was able to login. I will tell you that I logged in and logged right back out, since I've in in IT for several decades I've been entrusted with passwords and full access to every person in any company I've worked, so I am not the type of person that ever would do anything unethical. So rest assured I was simply gathering some facts so I could present them to you to let you know just how easy it is for someone to do such a thing. I have also PM"ed that person to alert him.

Please remember these guidelines for passwords, as everyone has tons of them all over the net.

Change your passwords every so often
Create strong passwords with upper/lowercase, numbers and symbols, don't create words
Don't create one password for all your accounts
DO get a password program such as KeePass or something and put all your passwords in there. You can stick it in dropbox or a usb stick for convenience.
Remember that if you save all your passwords from your browser (you know, when it prompts you if you want to save it in IE or Firefox) that there are programs that can retrieve every password you saved in a few seconds, if someone has access to your machine
Don't ever let anyone use your pc unattended, even your friends. They may unintentionally do something to compromise you
Beware of tech support websites that you allow into your pc to help you with something... just saying

I know, I know it's inconvenient to do a lot of these things, but it's so easy to steal so much info from someone if someone wants to.

Anyways... CHANGE YOUR PASSWORDS on Billiards Digest forums and if the password you used there is used anywhere else, you'd be best changing those too.

PRONTO!!!!!
 

Chopdoc

AzB Silver Member
Silver Member
Agreed. That "pastebin" website is well-known to us in the information security circles, and if your "stuff" shows up there, you're in deep kimchi (security posture-wise).

To be sure, that "dump" you see on the pastebin website are NOT passwords; they are password hashes. "Hashes" are technically one-way "destructive" encryption -- meaning, they're "not supposed" to be able to be "decrypted" backwards. The way hashes are used, is that your password is "destructively encrypted" into a hash, and that hash is stored in a database. Then, when you login to that site, the password you type into the "Password:" field is destructively encrypted (hashed) once again, and that hash is compared to the hash stored in the database. If the hashes match, you typed the correct/same password as that which created the original hash, and you're authenticated.

The problem with "one-way, destructive encryption" is that the hash is ALWAYS of a finite, fixed length. Meaning, if your password is longer than the hash itself, information is "lost" (truncated) and your hash has the possibility of matching another completely different password.

Another problem with hashes is the algorithm used to create them. The two most common, MD5 and SHA-1, are increasingly getting nibbled away at by ever more powerful computers. MD5 is just about there -- fully cracked. SHA-1 is a little more secure, but it's getting nibbled away at, too.

So a farm of commodity PCs (e.g. running Linux in a parallel computing environment) can take that list of MD5 hashes from the Billiards Digest site, and begin what's called a "brute force" attack on that list of hashes -- MD5'ing basically every word in the dictionary, with digits, upper and lowercasing every letter, substituting numbers for vowels, mixing punctuation in amongst the letters, etc. -- and comparing the resulting hash with each hash in the Billiards Digest list. Got a match? Record the "password" used to generate that matching hash along with the username.

And they *WILL* crack most of them. It's just a matter of time.

I scanned briefly through that list, and there are a bunch of AZB'er screennames in that list I recognize.

So if you have a Billiards Digest account that uses the same screenname, it behooves you to not only change your Billiards Digest password, but also your AZB password if it's the same.

Do it now, while you're reading this!

Signed, your friendly neighborhood information security professional,
-Sean



BUMP

Good info there folks. A nice primer.

I am a former IT executive myself and have also done security and forensics.

Most people have no idea that the IT folks have the keys to the universe.

I am glad to see sfleinen is ethical. I know of more than a few that are white hat by day and black hat by night.

Having been in the IT world and the medical world I note a striking difference in the matter of ethics. In medicine it is primary, with specific high level education and training. In IT it is an afterthought at best.

The internet, networks, and web sites are run by some of the brightest people I have met outside of medicine. And the power they hold is enormous, certainly beyond what the average user can imagine.


People. Please listen to what you have been told. They really can own you. It can go way beyond messing with your postings on a forum. They can destroy your life.


Consider yourself warned.


.
 

Sev

I taut I saw a pussy cat!
Gold Member
Silver Member
Its a good to know some people are paying attention.
You never know what your going find in NPR.

If you are really concerned you can also download and run a password generator.
 

sfleinen

14.1 & One Pocket Addict
Gold Member
Silver Member
BUMP

Good info there folks. A nice primer.

I am a former IT executive myself and have also done security and forensics.

Most people have no idea that the IT folks have the keys to the universe.

I am glad to see sfleinen is ethical. I know of more than a few that are white hat by day and black hat by night.

Having been in the IT world and the medical world I note a striking difference in the matter of ethics. In medicine it is primary, with specific high level education and training. In IT it is an afterthought at best.

The internet, networks, and web sites are run by some of the brightest people I have met outside of medicine. And the power they hold is enormous, certainly beyond what the average user can imagine.


People. Please listen to what you have been told. They really can own you. It can go way beyond messing with your postings on a forum. They can destroy your life.


Consider yourself warned.


.

Bump again.

Thanks for the kind words, chopdoc. And yes, I am ethical, because as an information security auditor with recognition from the states of CT and NY, I am required by law to be. (Verified by background check, etc.)

To be sure, even as a white hat, I sometimes engage in "gray hat" activities as part of contracted security engagements, where I'm hired to be a "disgruntled employee" and make believe I'm intent on doing damage to a company's information architecture. E.g. thwart physical security (break-in to data centers by bypassing access controls -- and this is a lot easier than many people think), break into databases and "steal" information, break into servers and leave markers that I was there with admin privs and had the ability to destroy everything there, hack through openings in firewalls (e.g. http port 80, or through Microsoft RDP port 3389) and leave markers on the servers that I was there with admin privs and owned them, etc. Then, write up a report detailing what I did, why the architecture fails best practices, and -- this is the value-add I offer in my security reports -- how to fix it. Of course, the carrot there is that I stand a good likelihood that I've earned the trust to be be hired to be part of the remediation team, showing "before" and "after" results.

But your message about IT folks having the keys to the kingdom is sound. Fortunately, the information security world realizes that, and we do drills and audits (required by such industry regs as Sarbanes Oxley, Gramm-Leach-Bliley, HIPAA, SAS-70, etc.) framed around "what would happen with rogue IT employees."

I pledge I would NEVER exploit my expertise to harm anyone reading this. Not only because there's nothing I want with AZB / Billiards Digest / other backend information, but 100% because my ethics alarm rings very loudly.

Folks, again, change your password if you're still not "getting" this. The damage that can be done to you goes far beyond someone just using your account to masquerade as you on the forums.

Do it now, while you're reading this.

Respectfully, your friendly neighborhood information security professional,
-Sean
 

Chopdoc

AzB Silver Member
Silver Member
Bump again.


To be sure, even as a white hat, I sometimes engage in "gray hat" activities as part of contracted security engagements, where I'm hired to be a "disgruntled employee" and make believe I'm intent on doing damage to a company's information architecture. E.g. thwart physical security (break-in to data centers by bypassing access controls -- and this is a lot easier than many people think), break into databases and "steal" information, break into servers and leave markers that I was there with admin privs and had the ability to destroy everything there, hack through openings in firewalls (e.g. http port 80, or through Microsoft RDP port 3389) and leave markers on the servers that I was there with admin privs and owned them, etc.

This is what me and a couple of friends used to do. After I got up to speed, the guy that mentored me used to challenge my networks and servers for me and I would do the same for him. We did it as a courtesy to each other and for fun.

It was fun to play the bad guy actually. Real fun. It also opened my eyes. As you say it is easier than many people suspect. In movies they portray people that can do this as rare genius types. They aren't rare though many are quite bright. The fact is that the tools and knowledge to do it are floating around on the internet and anybody with even a little aptitude can do it.

I was an "accidental admin". Learned on my own with some mentoring. No formal training. The company paid me to go to a Linux class once but I found I was already ahead of what the class presented.

I don't ever want to do that work again actually. I don't like it anymore. But I know enough now to generally keep my stuff safe. The problem is those around me. My wife still can't understand why I get so aggravated if she sits down at my computer. Why does she try to get on my computer? Oh...her's is screwed up again. I told her not to do x, Y, and Z. But she did anyway.

I don't even trust my own wife around my computer and hate that she is on my network!

Yup...I guess I am a little paranoid. But the way I see it that was my job at one time. I was paid to be paranoid! LOL!



.
 

emf123

Up the Irons!!!
Silver Member
yikes, thanks for the heads up everyone!!!
Password and email successfully changed.
 

Nostroke

AzB Silver Member
Silver Member
I cant even sign in over there. Somebody may have decoded it, entered and changed it i guess. Cant wait to see the posts!
 

krupa

The Dream Operator
Silver Member
Another problem with hashes is the algorithm used to create them. The two most common, MD5 and SHA-1, are increasingly getting nibbled away at by ever more powerful computers. MD5 is just about there -- fully cracked. SHA-1 is a little more secure, but it's getting nibbled away at, too.

Signed, your friendly neighborhood information security professional,
-Sean

In general, you should assume that all encryption will be broken eventually. The only practical goal is to make the encryption strong enough so that it takes so long to break it that the information -- once gained -- is useless.

--matthew (<- another security guy...)

Edited to add: I'm faced with an interesting conundrum... the pastebin link has a line with my 'krupa' username and I think that's me but when I went to reset my password (I forgot it to begin with) it said my username was something else... that username isn't in the list on pastebin... Did I create two accounts and forget about one!?
 
Last edited:

Sev

I taut I saw a pussy cat!
Gold Member
Silver Member
PM the Admin.
He should be able to send you the info.

Also another precaution for at home.

You should change the login name and password as well as specify what devices can access your router by limiting it to the specific MAC addresses of your devices.

If your router has a guest login you can set that up for when visitors come over and want to use your internet access.

Also if you use public WIFI you want to install a program that insures your communication between your laptop and the public WIFI is encrypted.

A VPN is a good place to start.
 

Sev

I taut I saw a pussy cat!
Gold Member
Silver Member
This internet crap is getting to be too much work....

Just send me your soc sec and some other personal information and I'll take it all out of your hands for you. :wink::D
 

azhousepro

Administrator
Staff member
Admin
Moderator
Just as an fyi, all of the password at BD have been changed.

And the passwords over there are now encrypted with a different method.

Mike
 

sfleinen

14.1 & One Pocket Addict
Gold Member
Silver Member
PM the Admin.
He should be able to send you the info.

Also another precaution for at home.

You should change the login name and password as well as specify what devices can access your router by limiting it to the specific MAC addresses of your devices.

If your router has a guest login you can set that up for when visitors come over and want to use your internet access.

Also if you use public WIFI you want to install a program that insures your communication between your laptop and the public WIFI is encrypted.

A VPN is a good place to start.

Sev:

Great suggestions, but because we're talking about security here, I need to clarify something about the bolded part above, because as written, it's very misleading.

A VPN is an end-to-end (point-to-point) method of securing communications. Meaning, if your PC/Mac/laptop/tablet/smartphone has a VPN tunnel established to, say, your corporate network, over a WiFi connection, only the communications between your device and that corporate network is secured/encrypted. Unless the VPN policy is configured for something called "Full Tunnel" -- which forces all traffic, including non-corporate-network Internet surfing, through the VPN tunnel and out through your corporate network's firewall to its Internet connection -- your Internet traffic is NOT secured!

VPNs have nothing to do with modifying the security of the transport they are going over. In other words, if you are using a public wireless/WiFi at, say, a Starbucks, that wireless/WiFi is "in the clear" no matter what you do. You can't "force" a wireless/WiFi access point to suddenly change its security settings (e.g. go from "in the clear" to encrypted) by doing something on the client end. Loading/using VPN software only secures your traffic end-to-end to its final destination; it doesn't affect your communication to the wireless/WiFi access-point itself.

Just wanted to clarify that. The usual disclaimers about using "in the clear" (non-encrypted) wireless/WiFi at any place (especially mass-gathering public locations like Starbucks, et al.) apply. If you don't have to use them, DON'T!!

-Sean
 
Top