Forum - View topic
NEWS: Cloudflare Web Service Error Leaks Website Data, Anime/Manga Companies Respond




Note: this is the discussion thread for this article

Anime News Network Forum Index -> Site-related -> Talkback
View previous topic :: View next topic  
Author Message
Tempest_Wing



Joined: 07 Nov 2014
Posts: 305
PostPosted: Fri Feb 24, 2017 10:40 pm Reply with quote
ANN was listed as one of the sites affected by this though.
https://github.com/pirate/sites-using-cloudflare
Back to top
View user's profile Send private message
doubleO7



Joined: 17 Jul 2009
Posts: 968
PostPosted: Fri Feb 24, 2017 11:14 pm Reply with quote
Tempest_Wing wrote:
ANN was listed as one of the sites affected by this though.
https://github.com/pirate/sites-using-cloudflare


They didn't say they weren't, just that, since they don't do any type of e-commerce, there's really no sensitive information of significance (bank/card numbers, for instance) that could have gotten stolen beyond your password. Unless you use the same password everywhere, hackers have little interest in your ANN account.
Back to top
View user's profile Send private message My Anime My Manga
Tempest
ANN Publisher & CEO


Joined: 29 Dec 2001
Posts: 9466
Location: Do not message me for support.
PostPosted: Fri Feb 24, 2017 11:40 pm Reply with quote
Tempest_Wing wrote:
ANN was listed as one of the sites affected by this though.
https://github.com/pirate/sites-using-cloudflare


That's a list of sites using CloudFlare, not a list of sites that have had data leaked.

I also didn't say that no ANN data was leaked, we have no way of being certain of that. I said that we're not concerned because our servers do not hold sensitive information.
Back to top
View user's profile Send private message Send e-mail My Anime My Manga
SilverTalon01



Joined: 02 Apr 2012
Posts: 1935
PostPosted: Sat Feb 25, 2017 12:05 am Reply with quote
doubleO7 wrote:
Unless you use the same password everywhere, hackers have little interest in your ANN account.


That is what gets people in trouble though. Accounts for less secure websites get hacked, and then that password lets someone else into an account on another site. You'd think everyone would know better by this point in time, but they don't.
Back to top
View user's profile Send private message
unready



Joined: 07 Jun 2009
Posts: 361
Location: Illinois, USA
PostPosted: Sat Feb 25, 2017 12:47 am Reply with quote
I don't know how ANN uses CloudFlare, but login to ANN has been over HTTPS for a little while now.

If CloudFlare is the one providing the HTTPS service to clients, then password data could have been leaked. CloudFlare does provide this service to some customers.

If CloudFlare is merely passing HTTPS through to users from the ANN web servers, then the data in login transactions (including password) would not have been cached by CloudFlare. If this is the case, the only thing that could have been leaked by CloudFlare is your browsing history on ANN, which would mostly be forum posts, since that's probably the only thing that would push buffer limits, which is what triggered the CloudFlare bug.
Back to top
View user's profile Send private message My Anime
Zalis116
Moderator


Joined: 31 Mar 2005
Posts: 6394
Location: Kazune City
PostPosted: Sat Feb 25, 2017 1:05 am Reply with quote
SilverTalon01 wrote:
You'd think everyone would know better by this point in time, but they don't.
Nobody can remember 30 different sufficiently strong passwords, and password managers got hit by CloudBleed as well.

Seems like nothing's safe or reliable in this increasingly mad world anymore. What're we supposed to do, keep a password database in a text file or something? No wait, hackers will access your hard drive and steal the document, if keyloggers don't detect you typing everything in first. Guess we'll have to either use a typewriter (<-- which intelligence agencies are increasingly going back to!) or hand write all our passwords on paper. Then since we can't just leave that paper lying around, we'll have to get it out of our reinforced underground magnetically-sealed vaults secured by handprint, retinal scan, and voice recognition every time we need to log in anywhere. That'll give us maybe a 50/50 chance of remaining secure.
Back to top
View user's profile Send private message My Anime My Manga
Cutiebunny



Joined: 18 Apr 2010
Posts: 1374
PostPosted: Sat Feb 25, 2017 1:31 am Reply with quote
I expect that people will steal eyes if we ever get into retinal scans for ID.

TBH, I don't trust companies to protect my data. Never have. That's why I always supply fake data. Companies don't ask for proof and I wouldn't give it to them anyways.
Back to top
View user's profile Send private message Visit poster's website
SilverTalon01



Joined: 02 Apr 2012
Posts: 1935
PostPosted: Sat Feb 25, 2017 3:01 am Reply with quote
Zalis116 wrote:
Nobody can remember 30 different sufficiently strong passwords, and password managers got hit by CloudBleed as well.


I can't tell if you're going on a tangent or just being ridiculous. I'm not suggesting remembering 30 sufficiently strong passwords. What I'm suggesting is using the same password on some random forum that you do for online banking is incredibly stupid yet people do it. You don't really need *that* many passwords to be reasonably safe, and they don't even all have to be strong for example accounts that have absolutely none of your personal information.
Back to top
View user's profile Send private message
SaitoHajime101



Joined: 31 Mar 2013
Posts: 234
PostPosted: Sat Feb 25, 2017 7:41 am Reply with quote
Zalis116 wrote:
Guess we'll have to either use a typewriter (<-- which intelligence agencies are increasingly going back to!) or hand write all our passwords on paper.

Or if intelligence agencies actually have any... well intelligence, they would just build a computer with no network connection at all. That's essentially a typewriter without having to go backwards in technology. Laughing
Back to top
View user's profile Send private message
sputn1k



Joined: 29 Sep 2016
Posts: 47
PostPosted: Sat Feb 25, 2017 9:16 am Reply with quote
Zalis116 wrote:
SilverTalon01 wrote:
You'd think everyone would know better by this point in time, but they don't.
Nobody can remember 30 different sufficiently strong passwords, and password managers got hit by CloudBleed as well.


Remembering 30 passwords is actually not that hard. You just have to come up with a pattern that you can easily remember.

Sentences, for example, are super easy to remember. If you get into the realm of about 20 characters, your password has an amazing entropy and is near impossible to brute force with today's technology as well.

Take some sentences with an interchangeable word, which you then switch for every website you use:
"ILikeStrawberryIceCream" on one site, "ILikeChocolateIceCream" or "ILikeMintIceCream" on another.

To increase security even more, alternate with a different sentence for others, like "IDriveARedVolkswagen", "IDriveABlackVolkswagen", "IDriveAYellowVolkswagen" ...

As these kinds of sentence passwords are very easy to memorize, you should be able to remember the correct one for each service very easily, despite the switched out word.


If the site requires complexity via numbers, special signs ... just affix some you like at the beginning or end of the password or build a sentence that incorporates them. E.g. a dot at the end of the sentence, or a comma where it should be in the sentence.
Back to top
View user's profile Send private message
zrnzle500
SubscriberSubscriber


Joined: 04 Oct 2014
Posts: 3434
PostPosted: Sat Feb 25, 2017 9:51 am Reply with quote
Zalis116 wrote:
SilverTalon01 wrote:
You'd think everyone would know better by this point in time, but they don't.
Nobody can remember 30 different sufficiently strong passwords, and password managers got hit by CloudBleed as well.

Seems like nothing's safe or reliable in this increasingly mad world anymore. What're we supposed to do, keep a password database in a text file or something? No wait, hackers will access your hard drive and steal the document, if keyloggers don't detect you typing everything in first. Guess we'll have to either use a typewriter (<-- which intelligence agencies are increasingly going back to!) or hand write all our passwords on paper. Then since we can't just leave that paper lying around, we'll have to get it out of our reinforced underground magnetically-sealed vaults secured by handprint, retinal scan, and voice recognition every time we need to log in anywhere. That'll give us maybe a 50/50 chance of remaining secure.


Luckily my password manager is unaffected as they don't use CloudFlare (Dashlane). 1password does use CloudFlare but is unaffected as noted in the unofficial list linked in the article. Lastpass doesn't seem to be listed either. I'm not sure I would avoid using them in response to this.

Do write important passwords down though.

@sputn1k while that is better than nothing, I'm not sure I would suggest that over other options. If you can remember the pattern, hackers can think of it too.
Back to top
View user's profile Send private message
sputn1k



Joined: 29 Sep 2016
Posts: 47
PostPosted: Sat Feb 25, 2017 1:23 pm Reply with quote
zrnzle500 wrote:
You'd think everyone
@sputn1k while that is better than nothing, I'm not sure I would suggest that over other options. If you can remember the pattern, hackers can think of it too.


It is very unlikely, as the "hackers" are not checking those lists they use or adapting them.
What those people do is pretty straightforward copypasting of credentials the actual hackers stole from a breached site into a tool. That tool also has a large list of public anonymous proxies added to it, which the tool cycles through in order not to trigger rate control for a specific IP.

The normal usage scenario is:
- enter a login page
- enter your 30000 stolen credentials
- enter your list of 1000 public proxies
- press the start button
- receive a list of credentials working for that login page
- use working logins yourself or sell working logins on leak boards for small amounts of bitcoin

Those people are looking to minimize the effort required to find a working set of credentials. There's little value in adjusting passwords, trying to guess the alternate version of the string, if you'd have to do that for 30000 of them. The whole point of doing this as automated as possible is maximizing your revenue, manual intervention just drastically reduces your gains in that regards. It easier and faster to find working logins, if you just add different 30000 credentials to the tool, instead of messing around. Billions of credentials are already out there, 2 clicks away.
Back to top
View user's profile Send private message
zrnzle500
SubscriberSubscriber


Joined: 04 Oct 2014
Posts: 3434
PostPosted: Sat Feb 25, 2017 1:36 pm Reply with quote
^I'm talking about the actual hackers. How do you think they steal them? Most websites are wise enough to have such material encrypted so even if they steal it, it's just random gibberish if they don't know how to decrypt it. They decrypt it by using the fact that at least some people don't practice proper password security, so they look for commonly used passwords. It doesn't take much more time include variations with numbers and/or symbols attached, especially if they follow common patterns of doing so. And of course they aren't doing this by hand, but rather using computer programs to do it for them. I don't claim to be a cybersecurity expert, but I don't think one would suggest what you have, at least not as the first option.
Back to top
View user's profile Send private message
Zalis116
Moderator


Joined: 31 Mar 2005
Posts: 6394
Location: Kazune City
PostPosted: Sun Feb 26, 2017 3:51 pm Reply with quote
SilverTalon01 wrote:
Zalis116 wrote:
Nobody can remember 30 different sufficiently strong passwords, and password managers got hit by CloudBleed as well.


I can't tell if you're going on a tangent or just being ridiculous. I'm not suggesting remembering 30 sufficiently strong passwords. What I'm suggesting is using the same password on some random forum that you do for online banking is incredibly stupid yet people do it. You don't really need *that* many passwords to be reasonably safe, and they don't even all have to be strong for example accounts that have absolutely none of your personal information.
Well, maybe it's a little from Column A, some from column B. I guess it was Funimation previously having a separate data breach, and having to change my password there again, that contributed to my sense of "everything falling apart." I have seen other sites recommend using unique passwords for every site in the wake of this incident, which to me implies that we should be remembering dozens of strong passwords... and since online password managers have been proven unreliable, hardcopy records are the last resort.

And I assumed you meant "people should know better [than to not use unique passwords everywhere]," but I think we're in some agreement -- unique passwords on e-mail accounts and financially sensitive sites, but possibly non-unique passwords on less-critical sites. Though I've always used a unique password here, as hackers and trolls could sow far more chaos on ANN with a moderator account than with a standard user account.
Back to top
View user's profile Send private message My Anime My Manga
zrnzle500
SubscriberSubscriber


Joined: 04 Oct 2014
Posts: 3434
PostPosted: Sun Feb 26, 2017 4:18 pm Reply with quote
^What makes you say password managers have been proven unreliable? I just want to know if I ought to be concerned. Though if your evidence is this article (and the linked ones) I have already expressed that I find that argument unpersuasive, at least for some bigger ones.

On another note, I would suggest setting up two factor authentication/two step verification on important sites where available.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Anime News Network Forum Index -> Site-related -> Talkback All times are GMT - 5 Hours
Page 1 of 1

 


Powered by phpBB © 2001, 2005 phpBB Group