# Forum Security



## SAR-1L (Mar 13, 2013)

So following the recent news of Linkedin being hacked back in 2012,
an IT buddy from the same team where we currently contract on a DOD project
forwarded a website which gives details on user account compromises.

I was going through my list of usernames, and was irritated to find this!

Username: sar-1l

VerticalScope Network (Vbulletin) (939 Websites) has: 1 result(s) found. This data was leaked on approximately 2016-02-01 00:00:00 What is in this database?

Maybe someone from the forums "new management" can help me understand how,
my account information was breached, and why I wasn't notified.

Thanks,

SAR-1L


----------



## sideKahr (Oct 15, 2014)

I wonder if we are all compromised. We should have been told. I can't recall what information I gave to open an account here. I think it was just an email address.


----------



## SAR-1L (Mar 13, 2013)

sideKahr said:


> I wonder if we are all compromised. We should have been told. I can't recall what information I gave to open an account here. I think it was just an email address.


Yes sir, same day according to site.

Username: Denton

VerticalScope Network (Vbulletin) (939 Websites) has: 89 result(s) found. This data was leaked on approximately 2016-02-01 00:00:00 What is in this database?

https://www.leakedsource.com/

I am going to assume this was a site wide security breach, but interested to see the response.

*Edit:* So certain users appear to be breached. I thought denton had asked that question sorry SideKahr, yours seems to be fine.


----------



## Seneca (Nov 16, 2012)

I think it was just an Email address that they asked me for and then sent a temp password, it's been a while. I never set up my profile for one reason, I don't need the grief if this site gets hacked. 

Many years ago I was on a site that had been hacked and taken down by a disgruntled poster. Whether true or not that was the generally accepted story. 

Anyway I decided from that point on if it happened again all they would get would be an email address and my public comments.


----------



## Denton (Sep 18, 2012)

Denton hit the report button so admin and them will see this and hopefully come here soon.


----------



## admin (Apr 28, 2016)

Our security is some of the best I have ever seen and it is continually monitored. If the site would have been compromised I would have come to you immediately

Sites like the one mentioned in this thread are scams 99.99% of the time. The one you referred to has a very poor reputation across the web.


----------



## Denton (Sep 18, 2012)

Thanks for the quick response, Cricket!


----------



## admin (Apr 28, 2016)

That being said, I always tell people to use common sense on the internet. 

Never provide any site with personal information. 

You should never use the same password on multiple sites and you should take care to use a password that cannot easily be broken.


----------



## SGT E (Feb 25, 2015)

SGT E VerticalScope Network (Vbulletin) (939 Websites) has: 12 result(s) found. This data was leaked on approximately 2016-02-01 00:00:00


----------



## paraquack (Mar 1, 2013)

Without trying to sound paranoid, we've probably been under scrutiny for years.
(Motto of the NSA; Scrutinize, Analyze, and Accumulate)


----------



## rice paddy daddy (Jul 17, 2012)

paraquack said:


> Without trying to sound paranoid, we've probably been under scrutiny for years.
> (Motto of the NSA; Scrutinize, Analyze, and Accumulate)
> View attachment 16353


My wife has had me under close scrutiny for years, yes.


----------



## SAR-1L (Mar 13, 2013)

Cricket said:


> Our security is some of the best I have ever seen and it is continually monitored. If the site would have been compromised I would have come to you immediately
> 
> Sites like the one mentioned in this thread are scams 99.99% of the time. The one you referred to has a very poor reputation across the web.


Well if it is a scam it is a pretty poor, scam.
As they didn't get any of my money.

However I did find their information on some of my account usernames pretty accurate.
Due to the uniqueness of my usernames, the breaches listed for other names were right on target with account,
its active timeline and the service it was associated with.

So... so far the only reassurance you have offered is discredit the other service, boast about the security of a forum,
security which I would find it hard to believe is even as robust as some of the major entities which have experienced cyber attacks/infiltration
over the past few years.

What makes you certain that no one has breached the security systems of the forum undetected?


----------



## GTGallop (Nov 11, 2012)

sideKahr said:


> I wonder if we are all compromised.


Buddy, I've been compromised for a long time!


----------



## admin (Apr 28, 2016)

SAR-1L said:


> Well if it is a scam it is a pretty poor, scam.
> As they didn't get any of my money.
> 
> However I did find their information on some of my account usernames pretty accurate.
> ...


Nothing is 100%, but as for the dates you provided, VerticalScope didn't even own this site then, right? The site has only been on our servers for a couple of days now. Username are public information, correct?

I cannot "prove" to you that the site has not been compromised, so you are simply going to have to accept (or not) that I would come directly to the community if there was an issue.

FWIW, you don't provide us with private information, like your home address or credit card number, correct? Even as an admin, I cannot view your password because it is encrypted.


----------



## GTGallop (Nov 11, 2012)

I searched the database. No names or numbers were in there for me but my user name and E-Mail address were both leaked by Vertical Scope and Linked In.


> Linkedin.com has: 1 result(s) found. This data was leaked on approximately 2012-06-05 00:00:00 email, hash, Possible plaintext password, Subscribe today to view the raw data itself!
> VerticalScope Network (Vbulletin) (939 Websites) has: 1 result(s) found. This data was leaked on approximately 2016-02-01 00:00:00 username, email, ipaddress, Possible plaintext password, hash, salt, Website, Subscribe today to view the raw data itself!


----------



## 1skrewsloose (Jun 3, 2013)

To the OP, I'd be more concerned about tracking on a smart phone than any website. Not trying to be a dick. I know where you're coming from though.


----------



## admin (Apr 28, 2016)

GTGallop said:


> I searched the database. No names or numbers were in there for me but my user name and E-Mail address were both leaked by Vertical Scope and Linked In.


We did not have your information in February, correct?


----------



## admin (Apr 28, 2016)

1skrewsloose said:


> To the OP, I'd be more concerned about tracking on a smart phone than any website. Not trying to be a dick. I know where you're coming from though.


Ain't that the truth. Heck, I can't remember where I have been half the time, but my phone always seems to know. LOLOL


----------



## SAR-1L (Mar 13, 2013)

Cricket said:


> Nothing is 100%, but as for the dates you provided, VerticalScope didn't even own this site then, right? The site has only been on our servers for a couple of days now. Username are public information, correct?
> 
> I cannot "prove" to you that the site has not been compromised, so you are simply going to have to accept (or not) that I would come directly to the community if there was an issue.
> 
> FWIW, you don't provide us with private information, like your home address or credit card number, correct? Even as an admin, I cannot view your password because it is encrypted.


Asking me when you guys took over? I dunno know that information. I am not trying to point fingers at you or your company, it very well could have been compromised during the previous owners tenure. Who's watch it was on isn't so much the issue as there is a good likelihood that accounts were compromised. While I remain cyber hygenic with important private information, doesn't mean someone wasn't fishing around for information on members.

Nothing I do is secret skunk works or anything, but not all of us are in retirement either. 
What I would ask though is that new ownership keeps this in mind as I am still involved in projects.

My employment still exposes me to risk, and if someone is trying to dig up info on forum members, 
especially those involved in active in sensitive projects that we be notified of the intrusion and possibly
provided the records pertinent to attempts on our individual account that can be analyzed.

Especially if they are accessing our geographic login locations via IP address records. I don't need someone tracking my
travel to and from training locals via forum. If it is happening I need to know to only login when home, or
going to have to login using IP proxy software.


----------



## BuckB (Jan 14, 2016)

Cricket said:


> Nothing is 100%, but as for the dates you provided, VerticalScope didn't even own this site then, right? The site has only been on our servers for a couple of days now. Username are public information, correct?
> 
> I cannot "prove" to you that the site has not been compromised, so you are simply going to have to accept (or not) that I would come directly to the community if there was an issue.
> 
> FWIW, you don't provide us with private information, like your home address or credit card number, correct? Even as an admin, I cannot view your password because it is encrypted.


Actually, you can view passwords even though they are encrypted. It only takes about 6 lines of Python to decrypt the fields once you have access to the database, which you do as an Admin.


----------



## Auntie (Oct 4, 2014)

Hey Buck, can you help me out I can't remember my darn password on a site.


----------



## A Watchman (Sep 14, 2015)

Not funny this morning ....Edited.


----------



## BuckB (Jan 14, 2016)

Auntie said:


> Hey Buck, can you help me out I can't remember my darn password on a site.


Which site? Maybe I can.


----------



## Smitty901 (Nov 16, 2012)

Anything and everything you do on a computer has been leaked. I have been notified by the DOD and Department of the Army 4 times that My information has been compromised. 2 years ago everything in my last two security clearance reviews was hacked. Nothing is secure on a computer or data base not anywhere. Long as you know that you are good to go.


----------



## Operator6 (Oct 29, 2015)

Smitty901 said:


> Anything and everything you do on a computer has been leaked. I have been notified by the DOD and Department of the Army 4 times that My information has been compromised. 2 years ago everything in my last two security clearance reviews was hacked. Nothing is secure on a computer or data base not anywhere. Long as you know that you are good to go.


I had the Shoe Department at Macy's call me and say that someone is trying to buy shoes using my Macy's credit card.............so I know where your coming from !

Only happened once though.


----------



## Smitty901 (Nov 16, 2012)

Operator6 said:


> I had the Shoe Department at Macy's call me and say that someone is trying to buy shoes using my Macy's credit card.............so I know where your coming from !
> 
> Only happened once though.


 I travel a lot. It is common a couple times a year for someone to use one of my cards. Never cost me a dime . Cancel the card issue new number. This is why you should never use a debit card. You have no protection.


----------



## New guy 101 (Dec 17, 2014)

Operator6 said:


> I had the Shoe Department at Macy's call me and say that someone is trying to buy shoes using my Macy's credit card.............so I know where your coming from !
> 
> Only happened once though.


Uhhh...You have a Macy's Card? That sort of clashes with the whole Operator personna I had created in my mind for your screen name...


----------



## Operator6 (Oct 29, 2015)

New guy 101 said:


> Uhhh...You have a Macy's Card? That sort of clashes with the whole Operator personna I had created in my mind for your screen name...


Yes I did, I use to frequent Atlanta,Ga and we would shop there rather than packing clothes...


----------



## rice paddy daddy (Jul 17, 2012)

I keep it simple - I have not had a credit card since 1985.


----------



## A Watchman (Sep 14, 2015)

Operator6 said:


> Yes I did, I use to frequent Atlanta,Ga and we would shop there rather than packing clothes...


Hmmm..... Okay, we can go with that.


----------



## Denton (Sep 18, 2012)

rice paddy daddy said:


> I keep it simple - I have not had a credit card since 1985.


Nowadays, the bad guys can open line of credit for you, and you'd never know you were in debt up to your eyeballs.

We live in a very unsecured world.


----------



## Seneca (Nov 16, 2012)

I try to leave as small a foot print as possible, which is becoming increasingly difficult in this day and age. The obvious places to avoid are the ones that are oh so attractive, facebook etc.


----------



## Sedition (Mar 22, 2016)

From what I have gleaned of this website without delving into the illegality realm, the board runs over HTTP connection...everything is in clear text and can easily be sniffed.
Can HTTPS be forced instead? Throwing the SSL into the mix would help secure things a little better.
Also, is the database we are using SQL? If so, may want to make sure validation is active and no one is injecting code.


----------



## Smitty901 (Nov 16, 2012)

In many cases credit card is required for proving expenses both for tax and company compliance with federal law when it comes to reimbursed expenses. Try renting a car with out a credit card. You can pay cash but you still must have a credit card. Try checking into some of your higher end motels with out one.


----------



## OSOKILL (Jun 4, 2012)

SGT E said:


> SGT E VerticalScope Network (Vbulletin) (939 Websites) has: 12 result(s) found. This data was leaked on approximately 2016-02-01 00:00:00


you all ARE reading the date of that arent you Feb 2016. did you all read Crickets join date? Vertical Scope wasnt around back then to the best of my knowledge.... any of you remember seing any of them around these parts in Feb? things that make ya go Hmmmmm.

and yes I just woke up and am joining the party late ha


----------



## SAR-1L (Mar 13, 2013)

ffadmin said:


> you all ARE reading the date of that arent you Feb 2016. did you all read Crickets join date? Vertical Scope wasnt around back then to the best of my knowledge.... any of you remember seing any of them around these parts in Feb? things that make ya go Hmmmmm.
> 
> and yes I just woke up and am joining the party late ha


Vertical Scope not being in control of the forum doesn't mean there wasn't a breach in Feb.
For all we know the listing simply reflects and update in their system of the new owner of the forum that was breached.


----------



## admin (Apr 28, 2016)

We are constantly working with our tech team to make sure site security is maintained at the highest level. 
-Philip


----------

