I suppose it is no secret to most of you that we suffered from an attack this week. This case is rather complicated because you can view it from many different angles, and there are there are many different people involved.
To our (the staff team's) current knowledge, this is the list of people who participated, one way or the other:
Kyoseron
Kaeru
DarthRiko
TNR
Arbe
Memetchilove
Snowshoe
Yoshiro
MWC
ShadowNinjaNick
MARL
Geno
Let's start out with the things that I know for certain:
a) Kyoseron places cookie stealing script in custom title.
b) Arbe uses stolen cookie to access SNN's account.
c) Using a proxy server, he unbans his IP and gives user #1974 Administrator priviledges.
d) Arbe logs in to user #1974 from which he gives staff powers to several other users.
e) Panic.
And now, I would like to present some of the things I heard from various people. The following may or may not be the truth. I don't know whether it is or not. Judge for yourself:
Supposedly, Arbe only functioned as a catalyst for the attack. That is, without him, it is likely nothing would have happened. It has been claimed that he had no real interest in the attack, but only participated because he was asked for help on how to hack the Central. The people who asked him would be the same people who later got staff powers with his help so that they could empty the site's file sections and forums.
It has been suggested that the attack was performed because of certain users' dissatisfaction with certain staff members. If this is the case, I would love to hear about it. After all, this is why there is a "Staff complaints" thread. I can report that the hole used to perform this attack (to my knowledge) has been closed. A couple of other things were taken care of at the same time.
Q) So, wait, what... what does it mean to steal cookies?
A) When you log in to the site, a little text file is saved on your computer to let the site know that you are logged in. This text file contains your user ID, as well as a hashed password. Only the site is supposed to have access to this file, but with javascript and a little creativity, it is possible to fool your browser into sending it off to somewhere else. Now, there are filters in an attempt to prevent javascript from executing on the site. The problem was that I missed a spot. On the profile page, the custom title would go unfiltered, and as such, it would be possible to steal a cookie.
Q) Hashed password? What does this mean? Do I have to change my password everywhere?
A) Making a hash of some text is generally an irreversible process. There does exist lookup tables on the Internet, though, where you can search for a hash's unhashed counterpart. This doesn't necessarely mean that it is possible to obtain your password from the hash. First of all, if your password was complicated, it is likely that it doesn't exist in such a lookup table. Secondly, a salt is added to the password before it is hashed. This basically means that we're adding complexity to the password so that it might not be found as easily.
It would be safe to say that it probably wouldn't be stupid of you to change your password in places where you used the same password as you did on SMW Central. Perhaps you should consider not sharing your SMW Central password with any other accounts.
... aaaand that's basically it, I suppose. Feel free to ask any questions.
To our (the staff team's) current knowledge, this is the list of people who participated, one way or the other:
Kyoseron
Kaeru
DarthRiko
TNR
Arbe
Memetchilove
Snowshoe
Yoshiro
MWC
ShadowNinjaNick
MARL
Geno
Let's start out with the things that I know for certain:
a) Kyoseron places cookie stealing script in custom title.
b) Arbe uses stolen cookie to access SNN's account.
c) Using a proxy server, he unbans his IP and gives user #1974 Administrator priviledges.
d) Arbe logs in to user #1974 from which he gives staff powers to several other users.
e) Panic.
And now, I would like to present some of the things I heard from various people. The following may or may not be the truth. I don't know whether it is or not. Judge for yourself:
Supposedly, Arbe only functioned as a catalyst for the attack. That is, without him, it is likely nothing would have happened. It has been claimed that he had no real interest in the attack, but only participated because he was asked for help on how to hack the Central. The people who asked him would be the same people who later got staff powers with his help so that they could empty the site's file sections and forums.
It has been suggested that the attack was performed because of certain users' dissatisfaction with certain staff members. If this is the case, I would love to hear about it. After all, this is why there is a "Staff complaints" thread. I can report that the hole used to perform this attack (to my knowledge) has been closed. A couple of other things were taken care of at the same time.
Q) So, wait, what... what does it mean to steal cookies?
A) When you log in to the site, a little text file is saved on your computer to let the site know that you are logged in. This text file contains your user ID, as well as a hashed password. Only the site is supposed to have access to this file, but with javascript and a little creativity, it is possible to fool your browser into sending it off to somewhere else. Now, there are filters in an attempt to prevent javascript from executing on the site. The problem was that I missed a spot. On the profile page, the custom title would go unfiltered, and as such, it would be possible to steal a cookie.
Q) Hashed password? What does this mean? Do I have to change my password everywhere?
A) Making a hash of some text is generally an irreversible process. There does exist lookup tables on the Internet, though, where you can search for a hash's unhashed counterpart. This doesn't necessarely mean that it is possible to obtain your password from the hash. First of all, if your password was complicated, it is likely that it doesn't exist in such a lookup table. Secondly, a salt is added to the password before it is hashed. This basically means that we're adding complexity to the password so that it might not be found as easily.
It would be safe to say that it probably wouldn't be stupid of you to change your password in places where you used the same password as you did on SMW Central. Perhaps you should consider not sharing your SMW Central password with any other accounts.
... aaaand that's basically it, I suppose. Feel free to ask any questions.