Boards.ie Attack - What Happened? Please post all questions here.

Thanx 4 The Fish

Don't it always seem to go that ya don't know what you got till it's gone.
You take some advice and put up a working site.



Well done lads.

Judgement Day

OK so Pissed_Off has gone away for good but I'm still rather p.....off and it really does make me wonder about whether it is wise to continue to participate in message board type forums - as it is we have to use pseudonyms to prevent Whackos on the Boards from targeting us. Obviously we have to be careful about passwords but there is a limit to how many different ones you can have without total confusion and I would have expected the Boards to be better protected against hackers. In common with many others, I'm sure, I had to change email passwords on gmail/hotmail/yahoo accounts, on eBay/PayPal accounts and on blogs etc. That is not because they all had the same password but just to cover any possible cross referencing by the hackers. I accept that this is because I am a technophobe but there you have it and I really do appreciate the good unpaid work that the Mods and others do.

Le King

Bravo guys. Well done.

Dave!

Dave! wrote: »

/goes to Conspiracy Theories to find out what really happened

I've already locked that thread... MOD CONSPIRACY!

Well done guys, it's great to have it up and running again. Sterling work.

Hotblack Desiato

Well done guys under difficult circumstances. Glad to hear that password hashes were salted, this makes a huge improvement to security.

I've been involved in websites I can't talk about, and colleagues of mine are currently involved in websites they can't talk about, and hacks thereof they and I can't talk about* so let's just say we appreciate what you are going through right now. Problem is that apps like PHP and vBulletin are massive security holes, best to keep them updated to the max and hope for the best...


* we are among the much maligned employees of the state, some of us grep t'internet ya know..

Trinity

Just to echo the majority of posts, fantastic job, sincerely.

The way you took the time to keep everyone up to date while working your asses off was top class.

I think this will strengthen boards in the end, and the support of the members on here proves it.

Sparks

Darragh wrote: »

Not exactly sure how it was "turned into a PR exercise"?

Well, I think it started to turn around about the time you streaked O'Connell street wearing only flip-flops and a "Boards.ie is down" bandanna...

Darragh

nuxxx wrote: »

LOL at this post.

Sorry but the original downtime was apparently due to maintenence. When Boards realised that account information was at risk they released the proper information.

Glad the site is back anyway.

Actually, I should explain this as well as I can.

We took the site down and threw up a holding page - but - we didn't check what that page said. That page was the standard page for when the site *IS* down for maintenance. As you can imagine, this being the first time anything so serious has happened, there was a lot to do.

We knew very early into it that account information may be at risk. The priority became what we had to do, who we had to inform and what exactly we needed to get the site back online.

There was no attempt to deceive members from the outset - we didn't want to cause a panic and we didn't want to put the site back live before ensuring that everything was up to scratch.

Happy to elaborate on that more if needed, but that's the truth of the situation!

AlmightyCushion

Steve wrote: »

But... I already know your gmail password.. AChazabigknob (old joke for those that don't follow)

Good point though.

Given the media attention this thread has, I pity poor steve@gmail.com


We live in hope! :cool:

Nah I thought that password was way to easy to guess so I changed it. AChasasmallknob will never be guessed.

Steve

Spiritoftheseventies wrote: »

if they then went into paypal account and started using credit card numbers wouldn't the same ip address keep showing up by same user hence arousing suspicion.

Not if they know what they're doing.

There are numerous ways for a professional cybercriminal to cover their tracks.

Consistent with all current identity systems, it only affects the innocent.

Fnz

I ams glad legitimate owner on not hacked profile, also Nigerian prince. Please buy my great Viagras.

Darragh

fcukreg wrote: »

Was the media in Belfast & Derry notified...? Irish news, Derry Journal, Belfast Telegraph, BBC NI, Downtown etc

I hope so, as boards.ie has an all-Ireland user base.


Doesn't look like it though based on boards.ie reports on media contacts..
"Composed a Press Release and released it to relevant media.
Contacted the Press Office of RTE.ie to organise/facilitate 6.1 News report to broaden the reach of our notice."

"Responded to media queries including RTE news, The Last Word on TodayFM, KCLR FM, Techcentral.ie, Sunday Business Post, Irish Daily Mail, Metro Herald."

Yes, yes they were. We sent out a general press release, including to NI, but the list of media above were the ones who contacted me directly.

I heard nothing from any media in Northern Ireland, either following the Press Release or following it appearing on BBC Northern Ireland.

Hotblack Desiato

Full disclosure is much appreciated, and something that many commercial entities would not do. The golden rule of t'internet is don't try to blow smoke up my ass, and you have obeyed this in exemplary fashion

Hotblack Desiato

ninja900 wrote: »

Well done guys under difficult circumstances. Glad to hear that password hashes were salted, this makes a huge improvement to security.

I've been involved in websites I can't talk about, and colleagues of mine are currently involved in websites they can't talk about, and hacks thereof they and I can't talk about* so let's just say we appreciate what you are going through right now. Problem is that apps like PHP and vBulletin are massive security holes, best to keep them updated to the max and hope for the best...


* we are among the much maligned employees of the state, some of us grok t'internet ya know..

edit: grok not grep

copacetic

Darragh wrote: »

Actually, I should explain this as well as I can.

We took the site down and threw up a holding page - but - we didn't check what that page said. That page was the standard page for when the site *IS* down for maintenance. As you can imagine, this being the first time anything so serious has happened, there was a lot to do.

We knew very early into it that account information may be at risk. The priority became what we had to do, who we had to inform and what exactly we needed to get the site back online.

There was no attempt to deceive members from the outset - we didn't want to cause a panic and we didn't want to put the site back live before ensuring that everything was up to scratch.

Happy to elaborate on that more if needed, but that's the truth of the situation!

Re, this Darragh, I asked a question a bit earlier on this topic here

Conor

Random wrote: »

= can you give us more details as to how the admin account was compromised?

Sorry, no. Maybe in the future, maybe not. But definitely not now.

Random wrote: »

= was it the vbullietin admin account or the server one?

vBulletin.

Random wrote: »

= how was it detected so quick? do you have alerts setup or something? or was this a slow response time relative to what it should be?

There are lots of things which trigger alerts (and occasionally wake me up in the middle of the night :mad:) but in this case I happened to be doing some routine maintenance stuff that made the attack show up like a sore thumb.

Random wrote: »

= what have you spent the last 36 hours doing?

About 30 hours of work and about 6 hours of sleep.


Sorry, but I don't want to be any more specific until both we and the Gardai have had a chance to pore over everything.

randylonghorn

Judgement Day wrote: »

... and I would have expected the Boards to be better protected against hackers.

There is no such thing as absolute security on the internet (no more than real life!). There is always someone out there with a new dodge, a faster codebreaker, a back door which no one thought of before ...

Much bigger operations than Boards, with pretty limitless funds to throw at security measures, have been hacked by teenagers.

AlmightyCushion wrote: »

Nah I thought that password was way to easy to guess so I changed it. AChasasmallknob will never be guessed.

... except by your former girlfriends!

timmywex

Just to add;

Great job done in updating the site/twitter/national and international media and of course the trojan work to find out what went wrong, work a solution and get the site back online! #Congrats!

And a job well done in contacting the gardai and data protection commissioner so fast, showed you really cared!

So good luck in the investigations and keep us posted! I missed this place ove the 2 odd days twas gone!
And hopefully aswell now some of the nuisance accounts will now vanish :P

Darragh

Random wrote: »

My name is Jack Bauer tom murphy (dev/conor/dav/darragh/whoever), and this is the longest day of my life.

so .. anyways .. couple more questions .. i'm interested!

...

= what have you spent the last 36 hours doing?


thanks

Just in terms of this one, Random, I can tell you what Dav and I have been doing.

FOund out yesterday morning/afternoon. Had a meeting.

Formulated what we needed to do.

Contacted relevant people (Damien Mulley, Brian Horan, Data Protection Commissioner, Gardaí, RTÉ etc)

Manned twitter while we were down

Formulated message for the homepage, for the press release and for enquries and twitter

Once the news broke - reacted. Took quite a few calls from the media yesterday.

Stayed on twitter till almost 10pm last night, as well as answering emails and so on.

Back in this morning to man twitter, emails and prepare the stuff on the homepage that you'll see now.

Met with the Garda Computer Crime Unit.

Have been answering emails and twitter messages since the site went live.

Slept, ate pie that Tom brought in, cake that Paul brought us, chips that my girlfriend brought us and laughed, joked, sorted out stuff and did what we could.

It's been a brilliant learning experience and we've worked very well and hard as a team together - admittedly, nowhere near as hard as Ross and Conor have worked (we're all still in the office) but there you go

Overheal

You know what though, I wonder what the aftermath will be: how many posters will never come back because of lost emails and inability to verify who they are?

probably end up losing a few good men here.

I don't want to be any more specific until both we and the Gardai have had a chance to pore over everything.

so were the gards and the people at RTE all secret boardsies? is that why they responded so prudently? :pac:

PogMoThoin

Well done on the rapid response, loads of sites get hacked every day and just continue on as if it never happened

shurl

Thanks for all the hard work folks. Such professionalism and open communication is rare these days!!

Ye have earned a few pints down the local I'd say!

S.

nij

So how do we know those posting here are who they say they are? Couldn't the hackers have taken over the admins accounts? Legit question...

Darragh

copacetic wrote: »

Re, this Darragh, I asked a question a bit earlier on this topic here

However, was there consideration to warning people to change them a bit earlier in the day yesterday? If at 11.34 the files were compromised should we have put a short message that there was a security breach and people should change their passwords up? Rather than wait until 4pm to do it?

I realise that a lot of sites might not even have done that, but if you assume there was a chance peoples passwords and email addresses were compromised then 4.5 hours is a fair bit of time.

Heya, that's more a question for DeV to answer than me, to be honest. All I can honestly tell you was that we did things as fast as we could - speed was a priority. There was such a lot to do and to consider and to prepare and to take into account and to deal with and people to contact and wait for and respond to and meetings to postpone and all of that.

I know 4.5 hours may seem like a lot from the outside, but I don't think any of us were not working on what we would do for even a minute of that.

Personally, I was really surprised by just how much work it took to get us to 4pm and how quickly we achieved it all.

Terry

Darragh wrote: »

Not exactly sure how it was "turned into a PR exercise"? Re exposure - it's not exactly what I'd have termed good publicity!

The old no publicity is bad publicity thing.

The Muppit wrote: »

And hence the importance of the "cynical* media involvement to get the word out.

Casey?

Darragh

nij wrote: »

So how do we know those posting here are who they say they are?

Exactly the same way you did before!

maryd26

heya,

well done in the quick response. However just wondering as someone else did above-is there anyway to find out what our old passwords were?! I was automatically logged in on my computer so haven't a clue what mine was exactly and I could easily have had the same password for something else... Even where on another computer I just went through a few and would eventually hit on the right one! Yes I know it's silly.... but I have many different accounts... and now don't know which I need to change and would prefer to avoid changing all of them.
Cheers:)

copacetic

Darragh wrote: »

Heya, that's more a question for DeV to answer than me, to be honest. All I can honestly tell you was that we did things as fast as we could - speed was a priority. There was such a lot to do and to consider and to prepare and to take into account and to deal with and people to contact and wait for and respond to and meetings to postpone and all of that.

I know 4.5 hours may seem like a lot from the outside, but I don't think any of us were not working on what we would do for even a minute of that.

Personally, I was really surprised by just how much work it took to get us to 4pm and how quickly we achieved it all.

Absolutely, it's more of a 'we did an excellent job, but what could we have done better' /lessons learned review kind of thing.

(maybe a bit soon for that:o)

Sparks

Terry wrote: »

The old no publicity is bad publicity thing.

I was the public relations guy for the National Target Shooting Association and the Dublin University Rifle Club and the Wilkinstown Target Shooting Club for a few years there.

There most assuredly is such a thing as bad publicity.

unkel

Conor wrote: »

Sorry, no. Maybe in the future, maybe not. But definitely not now.

What's with the maybe not stuff?

Your answer is as vague as can be. Speak up lad and show some responsibility!