Craftbrewer Hoax!

Australia & New Zealand Homebrewing Forum

Help Support Australia & New Zealand Homebrewing Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
it could be that Plesk was a version older than v11, in which case passwords are stored in PLAIN TEXT.
Yikes!

LOL @ the paranoid hysteria!

Drink a beer, relax. Address and phone numbers are hardly sensitive personal information, unless your in witness protection?
Google "identity theft" real quickly for me. See if you can work out how easy it is for someone to get credit in your name, entirely without your permission. The information they need is very easily obtained. It is even more easily obtained if you happen to be reusing passwords and they obtain it. This isn't paranoia. Password integrity is a simple, sensible concept with which more people should be familiar. You need to be more vigilant than you seem to be.

Anyone who wants to understand more of the dangers (without the technical details) have a look at this article: http://www.wired.com/gadgetlab/2012/08/app...-honan-hacking/ While you're reading it, try to remember this was done by some bored kids. Absolute tip of the iceberg stuff.
 
I imagine it was all built using Plesk tools as the host now shows the default Plesk web page when viewing craftbrewer
I imagine that you're incorrect, but (I presume like you) I have no knowledge how the site/server is setup, other than the web server is running Plesk.
Plesk is software that server administrators run to make server (and client) management tasks easier - in general it has absolutely nothing to do with how an individual web site hosted on the Plesk server is written, coded, configured or how the information stored by that website is encrypted or encoded. In addition (again I have no knowledge of this individual situation) it is quite likely that the attack is related to the software/configuration used to write the website/store/database rather than how the server is setup and configured.
 
Yikes!


Google "identity theft" real quickly for me. See if you can work out how easy it is for someone to get credit in your name, entirely without your permission. The information they need is very easily obtained. It is even more easily obtained if you happen to be reusing passwords and they obtain it. This isn't paranoia. Password integrity is a simple, sensible concept with which more people should be familiar. You need to be more vigilant than you seem to be.

Anyone who wants to understand more of the dangers (without the technical details) have a look at this article: http://www.wired.com/gadgetlab/2012/08/app...-honan-hacking/ While you're reading it, try to remember this was done by some bored kids. Absolute tip of the iceberg stuff.


This is very true, and we make it even easier by putting our birthday details right here, and most use the same host name at both sites. Deleted my birthday details just now.
 
Google "identity theft" real quickly for me. See if you can work out how easy it is for someone to get credit in your name, entirely without your permission. The information they need is very easily obtained. It is even more easily obtained if you happen to be reusing passwords and they obtain it. This isn't paranoia. Password integrity is a simple, sensible concept with which more people should be familiar. You need to be more vigilant than you seem to be.

Anyone who wants to understand more of the dangers (without the technical details) have a look at this article: http://www.wired.com/gadgetlab/2012/08/app...-honan-hacking/ While you're reading it, try to remember this was done by some bored kids. Absolute tip of the iceberg stuff.
Yep, scary stuff indeed. Also, consider that every rant I and others have had about password strength, length and hashing type, is all worthless in the context of what happened to Mat. It was entirely social engineering (loopholes at Amazon and Apple allowed this), not a single password was stolen or cracked to gain access to any of the accounts, and yet they were able to cause so much havok. There is other lessons to be learned from Mat's story, but they're mostly outside the scope of this thread.

That said, what has been said about passwords previously is still incredibly important! :)
 
Yikes!


Google "identity theft" real quickly for me. See if you can work out how easy it is for someone to get credit in your name, entirely without your permission. The information they need is very easily obtained. It is even more easily obtained if you happen to be reusing passwords and they obtain it. This isn't paranoia. Password integrity is a simple, sensible concept with which more people should be familiar. You need to be more vigilant than you seem to be.

I know about it, I've been working in IT industry for 15yrs. All I'm saying is your address and phone number are not secrets, your kidding yourself if you think they are.

Should I stress about it? Crossing the road is dangerous too but I don't get all paranoid about it. Keep a good password policy, relax and have a beer!
 
but they're mostly outside the scope of this thread.
I disagree. Giving people your (reused) passwords makes the whole thing easier and worse.

However, I did only link the article to give some idea of what can be done with a very small amount of information, responding to a claim that knowing someone's name and email is no big deal. There's no defending an entirely blase attitude to this stuff (which I obviously see you understand).
 
Yep, scary stuff indeed. Also, consider that every rant I and others have had about password strength, length and hashing type, is all worthless in the context of what happened to Mat. It was entirely social engineering (loopholes at Amazon and Apple allowed this), not a single password was stolen or cracked to gain access to any of the accounts, and yet they were able to cause so much havok. There is other lessons to be learned from Mat's story, but they're mostly outside the scope of this thread.

That said, what has been said about passwords previously is still incredibly important! :)
Absolutely important,and every person who clicked that link should do a thorough AV scan,NOW ! Clickjacking and drive by downloads are still common.A keystroke logger check would also be advised,if you get one imbedded and don't realise ,it's big trouble.A good one is KLDetector,just search for it.And make sure all your AV is up to date,the interweb is the wild west,be protected.
 
Absolutely important,and every person who clicked that link should do a thorough AV scan,NOW ! Clickjacking and drive by downloads are still common.A keystroke logger check would also be advised,if you get one imbedded and don't realise ,it's big trouble.A good one is KLDetector,just search for it.And make sure all your AV is up to date,the interweb is the wild west,be protected.

Or use Linux ;)
 
Neither can get Windows malware, granted, but they both have their own :) Again, less of it than Windows - but thinking they're completely immune is shortsighted at best.
 
Or use Linux ;)

Linux does not protect one from stupidity. Neither does a Mac. I use iMac, Linux and windows daily.. Linux just for fun nothing serious as I prefer my iMac.

Windows is the worst of the three operating systems but still, stupid wins overall.

Btw batz, always bullshit or leave blank your date of birth on forum sign ups and even gmail, hotmail etc.

There will always be people blindly clicking links in emails with no thought. No body can help that.
 
Or use Linux ;)
I certainly do,Ubuntu,and as far as I'm concerned ,it walks all over Windows,but I still realise the risk with ANY operating system,they can all get malware and none are bullet proof,as Mac users have started to find out lately.And just to emphasise the point again,NEVER click on suspect links ! NEVER !
 
A quick test I often do to get an idea if an email link is legit, is to mouse-over it and see what the actual link display as in the status bar before clicking on it.

For instance, a Paypal spoof email may have:

Click on this link to verify your account: http://verify.paypal.com
 
The passwords are actually only encrypted in Plesk v11 and even then it is very poorly done - if you have access to the server, you have access to the encryption key, which means you can easily decrypt the passwords. The other method employed by Plesk v11 is a hashed password....but once again this is useless as its per server, not per user, which means if you have access to the server you can decrypt the passwords very easily.
If you've gained root level access to the server then the reality is the passwords area moot point (since they can reset them anyway)!
Finally, it looks like this server had some vulnerbailities - it could be that Plesk was a version older than v11, in which case passwords are stored in PLAIN TEXT.
There's no way you could tell. As someone who manages a large number of Plesk servers, the recent vulnerabilities didn't have anything to do with how the passwords were stored (it was a SQL injection). Given the way that Craftbrewer have been specifically targeted, they may have tried any number of methods to find an exploit.

Hopefully Ross's team is on top of it all now anyway so that he can have a few beers on the weekend :)
 
These hackers are pretty stupid

If you want to steal money, wouldn't you target Golf Websites or Yacht clubs rather than tight arse homebrewers who max out their cards on 100g of hops

Pehaps they are going to the Guiness World Record of most scammed card declines per hour
 

Latest posts

Back
Top