Craftbrewer Hoax!

Shop deals on ebay
gas guyz
Advertise with us
shop deals on amazon
Australia & New Zealand Homebrewing Forum

Help Support Australia & New Zealand Homebrewing Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
gravey said:
it could be that Plesk was a version older than v11, in which case passwords are stored in PLAIN TEXT.
Click to expand...
Yikes!

Frothie said:
LOL @ the paranoid hysteria!

Drink a beer, relax. Address and phone numbers are hardly sensitive personal information, unless your in witness protection?
Click to expand...
Google "identity theft" real quickly for me. See if you can work out how easy it is for someone to get credit in your name, entirely without your permission. The information they need is very easily obtained. It is even more easily obtained if you happen to be reusing passwords and they obtain it. This isn't paranoia. Password integrity is a simple, sensible concept with which more people should be familiar. You need to be more vigilant than you seem to be.

Anyone who wants to understand more of the dangers (without the technical details) have a look at this article: http://www.wired.com/gadgetlab/2012/08/app...-honan-hacking/ While you're reading it, try to remember this was done by some bored kids. Absolute tip of the iceberg stuff.
 
gravey said:
I imagine it was all built using Plesk tools as the host now shows the default Plesk web page when viewing craftbrewer
Click to expand...
I imagine that you're incorrect, but (I presume like you) I have no knowledge how the site/server is setup, other than the web server is running Plesk.
Plesk is software that server administrators run to make server (and client) management tasks easier - in general it has absolutely nothing to do with how an individual web site hosted on the Plesk server is written, coded, configured or how the information stored by that website is encrypted or encoded. In addition (again I have no knowledge of this individual situation) it is quite likely that the attack is related to the software/configuration used to write the website/store/database rather than how the server is setup and configured.
 
bum said:
Yikes!


Google "identity theft" real quickly for me. See if you can work out how easy it is for someone to get credit in your name, entirely without your permission. The information they need is very easily obtained. It is even more easily obtained if you happen to be reusing passwords and they obtain it. This isn't paranoia. Password integrity is a simple, sensible concept with which more people should be familiar. You need to be more vigilant than you seem to be.

Anyone who wants to understand more of the dangers (without the technical details) have a look at this article: http://www.wired.com/gadgetlab/2012/08/app...-honan-hacking/ While you're reading it, try to remember this was done by some bored kids. Absolute tip of the iceberg stuff.
Click to expand...


This is very true, and we make it even easier by putting our birthday details right here, and most use the same host name at both sites. Deleted my birthday details just now.
 
bum said:
Google "identity theft" real quickly for me. See if you can work out how easy it is for someone to get credit in your name, entirely without your permission. The information they need is very easily obtained. It is even more easily obtained if you happen to be reusing passwords and they obtain it. This isn't paranoia. Password integrity is a simple, sensible concept with which more people should be familiar. You need to be more vigilant than you seem to be.

Anyone who wants to understand more of the dangers (without the technical details) have a look at this article: http://www.wired.com/gadgetlab/2012/08/app...-honan-hacking/ While you're reading it, try to remember this was done by some bored kids. Absolute tip of the iceberg stuff.
Click to expand...
Yep, scary stuff indeed. Also, consider that every rant I and others have had about password strength, length and hashing type, is all worthless in the context of what happened to Mat. It was entirely social engineering (loopholes at Amazon and Apple allowed this), not a single password was stolen or cracked to gain access to any of the accounts, and yet they were able to cause so much havok. There is other lessons to be learned from Mat's story, but they're mostly outside the scope of this thread.

That said, what has been said about passwords previously is still incredibly important! :)
 
bum said:
Yikes!


Google "identity theft" real quickly for me. See if you can work out how easy it is for someone to get credit in your name, entirely without your permission. The information they need is very easily obtained. It is even more easily obtained if you happen to be reusing passwords and they obtain it. This isn't paranoia. Password integrity is a simple, sensible concept with which more people should be familiar. You need to be more vigilant than you seem to be.
Click to expand...

I know about it, I've been working in IT industry for 15yrs. All I'm saying is your address and phone number are not secrets, your kidding yourself if you think they are.

Should I stress about it? Crossing the road is dangerous too but I don't get all paranoid about it. Keep a good password policy, relax and have a beer!
 
vortex said:
but they're mostly outside the scope of this thread.
Click to expand...
I disagree. Giving people your (reused) passwords makes the whole thing easier and worse.

However, I did only link the article to give some idea of what can be done with a very small amount of information, responding to a claim that knowing someone's name and email is no big deal. There's no defending an entirely blase attitude to this stuff (which I obviously see you understand).
 
vortex said:
Yep, scary stuff indeed. Also, consider that every rant I and others have had about password strength, length and hashing type, is all worthless in the context of what happened to Mat. It was entirely social engineering (loopholes at Amazon and Apple allowed this), not a single password was stolen or cracked to gain access to any of the accounts, and yet they were able to cause so much havok. There is other lessons to be learned from Mat's story, but they're mostly outside the scope of this thread.

That said, what has been said about passwords previously is still incredibly important! :)
Click to expand...
Absolutely important,and every person who clicked that link should do a thorough AV scan,NOW ! Clickjacking and drive by downloads are still common.A keystroke logger check would also be advised,if you get one imbedded and don't realise ,it's big trouble.A good one is KLDetector,just search for it.And make sure all your AV is up to date,the interweb is the wild west,be protected.
 
toper01 said:
Absolutely important,and every person who clicked that link should do a thorough AV scan,NOW ! Clickjacking and drive by downloads are still common.A keystroke logger check would also be advised,if you get one imbedded and don't realise ,it's big trouble.A good one is KLDetector,just search for it.And make sure all your AV is up to date,the interweb is the wild west,be protected.
Click to expand...

Or use Linux ;)
 
Neither can get Windows malware, granted, but they both have their own :) Again, less of it than Windows - but thinking they're completely immune is shortsighted at best.
 
Frothie said:
Or use Linux ;)
Click to expand...

Linux does not protect one from stupidity. Neither does a Mac. I use iMac, Linux and windows daily.. Linux just for fun nothing serious as I prefer my iMac.

Windows is the worst of the three operating systems but still, stupid wins overall.

Btw batz, always bullshit or leave blank your date of birth on forum sign ups and even gmail, hotmail etc.

There will always be people blindly clicking links in emails with no thought. No body can help that.
 
Frothie said:
Or use Linux ;)
Click to expand...
I certainly do,Ubuntu,and as far as I'm concerned ,it walks all over Windows,but I still realise the risk with ANY operating system,they can all get malware and none are bullet proof,as Mac users have started to find out lately.And just to emphasise the point again,NEVER click on suspect links ! NEVER !
 
A quick test I often do to get an idea if an email link is legit, is to mouse-over it and see what the actual link display as in the status bar before clicking on it.

For instance, a Paypal spoof email may have:

Click on this link to verify your account: http://verify.paypal.com
 
gravey said:
The passwords are actually only encrypted in Plesk v11 and even then it is very poorly done - if you have access to the server, you have access to the encryption key, which means you can easily decrypt the passwords. The other method employed by Plesk v11 is a hashed password....but once again this is useless as its per server, not per user, which means if you have access to the server you can decrypt the passwords very easily.
Click to expand...
If you've gained root level access to the server then the reality is the passwords area moot point (since they can reset them anyway)!
gravey said:
Finally, it looks like this server had some vulnerbailities - it could be that Plesk was a version older than v11, in which case passwords are stored in PLAIN TEXT.
Click to expand...
There's no way you could tell. As someone who manages a large number of Plesk servers, the recent vulnerabilities didn't have anything to do with how the passwords were stored (it was a SQL injection). Given the way that Craftbrewer have been specifically targeted, they may have tried any number of methods to find an exploit.

Hopefully Ross's team is on top of it all now anyway so that he can have a few beers on the weekend :)
 
These hackers are pretty stupid

If you want to steal money, wouldn't you target Golf Websites or Yacht clubs rather than tight arse homebrewers who max out their cards on 100g of hops

Pehaps they are going to the Guiness World Record of most scammed card declines per hour
 

Similar threads

431neb
4 tap font Bulk Buy.
2
Replies
22
Views
4K
Grainer
Grainer
joshuahardie
Vale Geoff Scharer
Replies
11
Views
2K
Hogan
Hogan
pdilley
History, Medicine, Ultimate Honey Primer
Replies
3
Views
3K
jonocarroll
jonocarroll
G
The Ahb Brew Pub
Replies
12
Views
865
Gerard_M
G
Ross
Hangover Ratings
2
Replies
31
Views
3K
AngelTearsOnMyTongue
AngelTearsOnMyTongue

Latest posts

Back
Top