Cavechat.org

[PYoungbaer]

Hi, Dave,

A work colleague experienced a similar hacker attempt today. Here's what happened: I received an email from her, stating that she was on vacation in England, had been mugged and lost her money/credit cards, but luckily still had her passport. She was struggling to pay her hotel bill in order to leave and asked for help. However, the message didn't instruct on how to help. So, some gullible friends replied to the email asking how to help, and received instructions on how to wire funds. (BTW, I was not so gullible, and called her office to find her here in the states).

The original message looked very legit, as it included her normal electronic signature, complete with contact information for her business, phone, website, etc.

She received at least a dozen phone calls of people checking to see if she was OK, but a few folks actually replied and sent funds. We've reported it to the Attorney General's Consumer Protection Office.

An additional downside is that she no longer has access to her account. Evidently the hackers, once in, change the password and user name. She's lost all her business files and is working with her provider to try to retrieve them.

I hope we can somehow ensure this doesn't happen with the NSS site.

[David Grimes]

The only reason I question the hacker excuse is, why would they want to access a regular users account. I could see the moderators or myself but a regular user would not have access to any important information. I do not foresee them being successful since I use a very complex and long password and I am sure the mods here do as well. On the off chance something did go wrong the entire form and database are all backed up and could be restored if needed.

[paul]

The only reason I question the hacker excuse is, why would they want to access a regular users account. I could see the moderators or myself but a regular user would not have access to any important information. I do not foresee them being successful since I use a very complex and long password and I am sure the mods here do as well. On the off chance something did go wrong the entire form and database are all backed up and could be restored if needed.

These people aren't always after important information. Sometimes it's just a type of vandalism. I know of some PHBB Forums which were attacjed and the data purposely corrupted so that forum messages were lost.

[Ernie Coffman]

I've had log-in problems several times this past month, but figured it was something with the NSS, so went through the hoops and such, but then I saw this message of Peter's, when he was being asked by a co-worker for funds, etc., and that sprang my cells to working, for I got almost the same email message in November, from a respected caver in California, so...know now that something is a miss. Damn idiots out there!

[cavedoc]

I just had the same thing happen. That means that the hackers failed?

[David Grimes]

If you were able to login with your password but were told you have exceeded the maximum number of attempts, then yes that means they were likely unsuccessful. Like I said before these are probably very inexperienced hackers simply attempting a brute force attack hoping to find a single password. PHPBB uses MD5 hashing for passwords, which means the only way to find a password is to either try as many words and numbers and/or combos and hope you get one right, or you would have to hack the database and find the file used to store the password hashes, then attempt to decipher the hashes. The problem is, the only way to decipher the hash is to have the hash stored in a database to check against, which is very limited and almost always unsuccessful for passwords containing combination's of letters and numbers and/or symbols. This is further complicated with passwords containing random letters and numbers. If you follow the standard password recommendations for any secured internet site when creating your cavechat password you have a very low chance of your account being hacked. I recommend everyone use a complex password containing letters, numbers, and special symbols for any secured site. Also the longer the password the better since most hackers generally use wordlists containing words with 8 characters or less (this is not always the case). My best suggestion is if you think your password may not be secure enough simply change it to something more complex.