View previous topic :: View next topic |
Author |
Message |
|
Tempest
I Run this place.
ANN Publisher
Joined: 29 Dec 2001
Posts: 10430
Location: Do not message me for support.
|
Posted: Fri Aug 11, 2017 9:39 pm
|
|
|
SejinPK wrote: | I'm not very well-informed about these things, so this may sound like a dumb question, but what would a hacker gain by stealing domains, especially for a relatively small and obscure operation like ANN? It seems particularly odd to me since they didn't steal user information, though I guess that could be because they were headed off quickly enough by ANN's recovery efforts. |
I'm pretty sure they did it for the lulz.
|
Back to top |
|
|
Tempest
I Run this place.
ANN Publisher
Joined: 29 Dec 2001
Posts: 10430
Location: Do not message me for support.
|
Posted: Fri Aug 11, 2017 9:42 pm
|
|
|
luffypirate85 wrote: | Will you expose the hacker? |
I don't know who it is, but they left a lot of breadcrumbs. It'll be up to the police to decide if this is even worth investigating, and if any of the breadcrumbs that we've turned over actually lead to someone.
-t
|
Back to top |
|
|
TheAncientOne
Joined: 06 Oct 2010
Posts: 1875
Location: USA (mid-south)
|
Posted: Fri Aug 11, 2017 10:34 pm
|
|
|
Parse Error wrote: |
farix wrote: | This is one of the things that annoy me with 2-factor authentication. |
People always get angry with me for pointing this out, but 2FA is pointless anyway. A strong password is just as effective at discouraging or stopping the same kind of random or scripted attacks that it does, but neither one can prevent a targeted attack from succeeding. Regardless of method, there's always a procedure to keep the rightful owner from getting permanently locked out of their account, which can always be exploited by someone else. |
Any security is only as effective at its weakest link. Too often that weak link ends up being some variation of "I've been locked out of my account, help me regain access".
This is a good time to remind people that if an important account of yours requires "secret questions", and you value security, don't give truthful answers to things like, "What is your mother's maiden name" or even "What is your favorite TV show", as the former type isn't difficult to find out, and answers to questions of the second type may have been mentioned by you online at some point.
In ANN's case, this entire sequence of events could have been short-circuited if the phone carrier had better security. While denying the hacker access the first 3 times was a good start, beginning with the second time that should have resulted in the carrier contacting the customer, and flagging the account to not allow any changes until that was accomplished.
I would also like to point out that there are better methods of 2FA than a text being sent to one's cell phone. Many will support a temporary authentication code that is generated based on the time and a one time secret, either provided by a hardware device or an app. As stated before, however, that can be undone if someone can still gain access to the account by answering two or three "secret questions", or in this case, have a code sent to a cell phone account that has been hijacked.
In short, it doesn't do much good to have a vault door for the entrance to your home if there is a large plain glass window around back.
|
Back to top |
|
|
gorilla491
Joined: 23 Dec 2005
Posts: 64
|
Posted: Fri Aug 11, 2017 10:43 pm
|
|
|
Over the last 12 or so years I've been visiting this site, since beginning High School basically. I can't understand why ANN is repeatedly hacked every few years.
Is it disgruntled fans not liking opinions on topics?
I hope the CSR person didn't lose their job, at the very least they can now be at the forefront of explaining what not to do. Social Engineering is now realer then it was even 5 years ago.
Well, I hope it's a quick recovery. Anime needs all the backup it can get in todays world of competing streaming services and the plight of animators and voice actors making it in the world.
|
Back to top |
|
|
curtisd88
|
Posted: Fri Aug 11, 2017 10:45 pm
|
|
|
So if I'm reading this right your phone carrier more or less gave the hacker access? So they basically GAVE him/her the power to do all of this? If that's the case then you should DEFINITELY sue your phone carrier for this. The hacker too if he's caught. This is not just some accident or mishap that can be overlooked. The money and time it will take to fix this is not cheap and simple. Hopefully ANN will get justice for this.
|
Back to top |
|
|
Yuki_Kun45
Exempt from Grammar Rules
Joined: 26 May 2008
Posts: 725
Location: U.S.A.
|
Posted: Fri Aug 11, 2017 10:59 pm
|
|
|
gorilla491 wrote: | Over the last 12 or so years I've been visiting this site, since beginning High School basically. I can't understand why ANN is repeatedly hacked every few years.
Is it disgruntled fans not liking opinions on topics?
I hope the CSR person didn't lose their job, at the very least they can now be at the forefront of explaining what not to do. Social Engineering is now realer then it was even 5 years ago.
Well, I hope it's a quick recovery. Anime needs all the backup it can get in todays world of competing streaming services and the plight of animators and voice actors making it in the world. |
If hijacking is the goal and if this particular hack was done by overseas perps in HK, perhaps they're just eyeing a domain with a lot of traffic? Maybe they hope to ransom or auction it off?
Of course also possible other attempts are people doing it for the lulz. Just speculation on my own part there.
|
Back to top |
|
|
Redbeard 101
Oscar the Grouch
Forums Superstar
Joined: 14 Aug 2006
Posts: 16941
|
Posted: Fri Aug 11, 2017 11:28 pm
|
|
|
Quote: | On ANN's side, we're moving all our domain registrations to more secure domain registrars. Once we get AnimeNewsNetwork.com back, it will go to an extremely secure (and expensive) registrar that will not make domain changes without offline confirmation. |
So will this affect content or subscriber rates? Obviously ANN's financials are private and while everyone does a great job ANN is not a fortune 500 company. So I would imagine this increase in cost for the registar has to come from somewhere. Does that mean fewer reviews, columns, or more ads etc. to offset the cost? Will it hinder the encyclopedia upgrade or any other upgrades that might have been planned?
At the end of the day despite everything it's nice to know the servers are ok and things can be fixed. I imagine this was even more stressful given it's prime con season as well. On a personal note I would be switching phone carriers to say the least.
|
Back to top |
|
|
Snomaster1
Subscriber
Joined: 31 Aug 2011
Posts: 2826
|
Posted: Fri Aug 11, 2017 11:54 pm
|
|
|
While I'm glad that you guys are slowly getting things back to normal,and I hope you guys get your regular spot back soon but I do have a question for you guys. How will this affect the subscription rates? Will they be raised or what?
|
Back to top |
|
|
EmpyreanBlaze
Joined: 14 Jul 2017
Posts: 44
|
Posted: Sat Aug 12, 2017 2:30 am
|
|
|
Farix wrote: |
Quote: | Cell phones aren't perfect 2-Factor security. |
This is one of the things that annoy me with 2-factor authentication. Many websites require a cellphone for 2-factor authentication to work. However, I live in an area were cellphone coverage is extremely spotty if not non-existent once you go outside of town (I live 4 miles outside the nearest town). Thus, 2-factor authentication that requires a cellphone is completely useless to me. |
Only if you get the codes via SMS instead of an authenticator app. The latter is more secure.
As for the hack itself, it wasn't anything special. Informative article nonetheless.
|
Back to top |
|
|
Kimiko_0
Joined: 31 Aug 2008
Posts: 1796
Location: Leiden, NL, EU
|
Posted: Sat Aug 12, 2017 4:13 am
|
|
|
In defense of the CSR, consider that they get called on by people who are in actual trouble because of bad luck or mistakes much more often than by hackers. Those people who were in trouble were probably very grateful when their CSR helped them recover a lost phone number in short time. Tightening security at that level will lead to customers complaining about CSR being too difficult or uncooperative more than customers praising the extra security.
I feel sorry for the CSR who might well get fired because of this case and was only doing their job of helping out a distressed customer.
|
Back to top |
|
|
Sakagami Tomoyo
Joined: 06 Dec 2008
Posts: 940
Location: Melbourne, VIC, Australia
|
Posted: Sat Aug 12, 2017 4:42 am
|
|
|
Kimiko_0 wrote: | Tightening security at that level will lead to customers complaining about CSR being too difficult or uncooperative more than customers praising the extra security. |
Just because people complain about inconveniences but don't praise security doesn't mean security should be a lower priority than convenience. I, for one, while not happy about some of the hoops I had to jump through to prove who I am to various organisations when buying a home, would still rather they be there than not, given some of the scams that were going on before those checks were made necessary.
Sure allowances need to be made for people who may have lost required documents, but that should not be a web chat operator just going "yeah, okay".
|
Back to top |
|
|
Saphiro01
Joined: 14 Jun 2003
Posts: 71
Location: California
|
Posted: Sat Aug 12, 2017 8:04 am
|
|
|
I am happy ANN is back up and that everything is relatively back to normal. I have been a lurker on the site for as long as it has existed and I have loved updating what pages in the Encyclopedia I could. Thank you for everything you do and for all the fun. I hope this site continues to be a source for news and encyclopedic information about my favorite medium for many years to come. We do have future generations to inform after all.
|
Back to top |
|
|
SWAnimefan
Joined: 10 Oct 2014
Posts: 634
|
Posted: Sat Aug 12, 2017 8:15 am
|
|
|
QuarkboySam wrote: | It's inconvenient for consumers but it does make this kind of social engineering much more difficult than in the US... I suspect that eventually the government will step in and add in some more safeguards to this kind of thing. |
No, they won't. This is a business decision, not something the government can do something about. It's the responsibility of these companies to learn the vulnerabilities of their systems and provide better security means. The only thing the government can do is provide aid through law enforcement in tracking down the hacker(s) and arrest them, providing they are within the nation or in a nation of a friendly state with a law enforcement treaty.
All I can say is these companies need to have more motivation in providing better means of security. Especially this one whose CSR dropped the ball. I don't know the contract if it waves responsibility in this situation, but if not, they should reinburse ANN for costs in restoring the status quo.
Tempest wrote: |
luffypirate85 wrote: | Will you expose the hacker? |
I don't know who it is, but they left a lot of breadcrumbs. It'll be up to the police to decide if this is even worth investigating, and if any of the breadcrumbs that we've turned over actually lead to someone.
-t |
With respect, you should not have mentioned that. You just tipped them off.
|
Back to top |
|
|
Gasero
Joined: 24 Jul 2009
Posts: 939
Location: USA
|
Posted: Sat Aug 12, 2017 8:23 am
|
|
|
Thank you for informing us about what happened.
It is always sad when someone decides to use their time to antagonize others. The only thing I can think of is that the hacker was motivated by petty grievances or domain name ransoming.
Sad
|
Back to top |
|
|
rpgmaniac
Joined: 20 Jun 2013
Posts: 16
|
Posted: Sat Aug 12, 2017 9:27 am
|
|
|
It's crazy to which length hackers go today to achieve their objective, I visit this site for many-many years probably over 10 & it was very sad what happen, I took notice instantly as I was trying to find info about an anime when this happen & I was searching all over the place to find out why ANN is down for so many hours, in short I missed you guys when you were down in first many years ago before the site's update to show news I was visiting just to get info about songs in anime now all those years later that's still my primary reason but now I keep the site always open & refresh often in order to learn news about anime, anyway keep up the good work guys & I hope that everything will go well from now on.
|
Back to top |
|
|
|