Carman Fox

Understanding Cyber Security

Status
Not open for further replies.
W

Warl0ck

On occasion I read this forum so I'd like to share a few things with the recent hack over at TERB.

1. The Chaos Computer Club was not responsible for the attack on PERB. People seemed to read CCC, googled it and came up with the Chaos Computer Club (CCC). Had you taken 2 seconds to actual read their website you would have seen they are ethical hackers and privacy advocates. They do not spend their time hacking prostitute forums. The CCC is about proof of concept of threats/vulnerabilities. They demonstrated how to hack an iPhone by using a captured finger print. Does that sound like a group that would waste it's time hacking some Canadian sex worker advertising forum?

2. It was clearly the work of social justice warriors or anti-prostitution advocates. That is another stupid assumption. Lulzsec hacked Pron dot com most likely to prove a point about lax security. The most likely culprit to attack a site like this is a competitor or someone who just enjoys watching the world burn. It's a case of seeking out weak security & embarrassing the owners of the site perhaps with the goal of destroying their business.

3. Given the sensitive nature of the information on this site I'd like to know if passwords are hashed and salted on this site (and in Toronto and Montreal). Perhaps Fred could answer this himself.
 
A

Alabama Blaze

People are reading too much into this. 90% of all hacks are not done by people but by servers running automations. Google and Alexa have hosted over 3 dozen Cyber Security webcasts detialing how automated server attacks work.

These attacks are called Death Star attacks. Death Star servers scan the web for IP addresses with Linux or Windows web servers. The server then scans those servers to see if they are using any out of date software and security measures. The server uses an automation to delpoy a script injection or to attack the OS of the servers shell.

Most hackers use Automated Death Star Servers as an easy way to hack a very large volume of websites. The targets are largely random. The common demenator is out of date and poorly managed websites.

The vast majority of Escort Advertising sites are managed by novices and ethusiast with limited knowledge of how the internet works. They are easy marks for blind attacks from Automated Death Star server attacks.

Cyber Security Experts estimate there's somewhere in the neighborhood of 2.5 million Automated hacking servers running worldwide perfroming Death Star hacks ot 1000's of sites simultaneously every hour of the day.


Lesson One: Never run a website on old software. If you don't understand cyber security, hire.an expert to help you with securing your site.
 
Last edited:

Bad Santa

Seeking Sexy Helpers
Feb 26, 2010
1,109
28
48
South Pole
Lesson One: Never run a website on old software. If you don't understand cyber security, hire.an expert to help you with securing your site.
You wouldn't happen to know anyone like that, would you AB? :wink:

And btw, how's Perb doing in your estimation? Better than CAF??
 
W

Warl0ck

@AB

For your own edification, I'm a penetration tester & not the kind that tests women but computer networks. Well it's possible the hack was automated, the person behind the wheels of several Twitter accounts is not. Nor is the supposed data dump of everything from the database. According to Netcraft this site is run on a Linux using NGINX as the web server. Netcraft puts the risk rating at 1 out of 10. Netcraft does not rate the vBulletin application that runs this forum. The foundation of good security on Linux starts with the apt-get command. And you'd want to have permission to go poking around, proverbially speaking lol.
 
A

Alabama Blaze

You wouldn't happen to know anyone like that, would you AB? :wink:

And btw, how's Perb doing in your estimation? Better than CAF??
I've given-up on most US and Canadian Cyber Security firms. I've had bad luck with either being overcharged or overpromised and undelivered; i prefer to work with Brits. Iflexion is one my favoirite consulting and validation firms for professional sites.


https://www.iflexion.com/contact

The Admin Zone forums is good choice to find a contractor on a budget.

PERB is decent over all. Fred Zed has all of his software is up to date and his NginX sever and SSL's are set-up correctly. Without doing a detailed secuirty audit you can't say more than that.

Every security measure and application on CAF is 8 -11 years olds. All of the software they're using was developed.in 2006 - 2008. The last security patches running on CAF date back to 2009 -2011.

The AdminCP was never secured, they don't have any SSL's, no validation certificaticate on the Root server to protect shell access, none of the folders have rewrite protection, the 7 year old version of the chat software they installed has 1213 known SQL exploits, 9 year old versions of SQL and PHP and the list could go on for a few days.

My tumbs are getting sore and I'm pretty sure there's a character limit. I think.you get the drift.

CAF lost 1000's of members' posts which doesn't make any sense. A Webmaster should be keeping daily back-up's. I can't fathom why any site would loose that many posts. It means the site was not being backed-up and maintianed. A hacked site should not loose more than 1-3 days worth of content at the most.

Is PERB perfect; no; PERB is light years ahead of CAF in every single.way it could be measured.
 
Last edited:

Bad Santa

Seeking Sexy Helpers
Feb 26, 2010
1,109
28
48
South Pole
I've given-up on most US and Canadian Cyber Security firms. I've had bad luck with either being overcharged or overpromised and undelivered; i prefer to work with Brits. Iflexion is one my favoirite consulting and validation firms for professional sites.


https://www.iflexion.com/contact

The Admin Zone forums is good choice to find a contractor on a budget.
Good information AB. I hope Perb and other boards are onto this kind of security after what happened at CAF recently.
 
A

Alabama Blaze

Good information AB. I hope Perb and other boards are onto this kind of security after what happened at CAF recently.
Thanks Bad Santa.

Every website should be getting anuaul security audits from a professional 3rd party. It's no different than annual check-up for yourself. 99.9% of all hacks are prevetable.

Most hackers look for mistakes and poorly maintained sites just like crooks look for houses with poor lighting and no security systems as potential targets.
 

PerbMod

Conflict Resolution Guy
Moderator
Supporting Member
Mar 28, 2015
863
6
0
www.perb.cc
I think this topic, while interesting, has run its course. We are not interested in bashing any other boards here, for any reason.
 
Status
Not open for further replies.
Ashley Madison
Vancouver Escorts