Spammers still getting through registration

[Carlos]

Large font doesn't mean you have made your point.

Keep saying I'm wrong. I don't care.

I'm going to leave this thread alone and let you guys walk in circles. Then I've done my job.

It doesn't matter what I say, you guys still don't get it. That means you guys are stuck in a little box. When you open your mind to new possibilities, then power to you. Otherwise... stay in that little box.

 

[Sheldon]

Keep saying I'm wrong. I don't care.

I'm going to leave this thread alone and let you guys walk in circles. Then I've done my job.

It doesn't matter what I say, you guys still don't get it. That means you guys are stuck in a little box. When you open your mind to new possibilities, then power to you. Otherwise... stay in that little box.

Thanks Neo.

 

[EQnoble]

As far as Q&A goes xenforo concerned... it is only used as a check to allow for humans to submit forms.

In this sense security is not an issue unless you are broadly talking about securing your server from unwanted bot registrations.

If you are talking about letting someone login based on a security question then yes, that can be quite insecure but since xenforo does not allow for use of security question to bypass password entry for login this is not relevant to spammers getting through xf registration.

If a remote site has a user account taken over by cracking a security question and that happens to be an email of a user to your site, there is nothing you as the owner of your site can do about that or do to prevent it nor would it have anything to do with allowing for spam users to register.


What you are saying makes sense for other sites and possibly some software that offer forgot your password questions Carlos, but it in no way has an application against xf directly and as far as I can tell, this thread is primarily about spam registrations related to xenforo.

 

[Carlos]

I'm only going to respond to EQnoble or people who are trying to be nice...

As far as Q&A goes xenforo concerned... it is only used as a check to allow for humans to submit forms.

On paper, yes. That's true. This is typically done on forums, blogs, and other websites like it. Keyword: Typically.

In this sense security is not an issue unless you are broadly talking about securing your server from unwanted bot registrations.

Yes. Correct. But when you have xrumer on the market, whose database does not just cover forums and blogs.. And their flexibility to derivative from their original purpose, can go into larger scope of things.

If you are talking about letting someone login based on a security question then yes, that can be quite insecure but since xenforo does not allow for use of security question to bypass password entry for login this is not relevant to spammers getting through xf registration.

Yes, but Q&A is not restricted to forums and blogs.

I'll go into detail next point...

If a remote site has a user account taken over by cracking a security question and that happens to be an email of a user to your site, there is nothing you as the owner of your site can do about that or do to prevent it nor would it have anything to do with allowing for spam users to register.

A database of older, well known Q&A's [once again, index] is a security nightmare.

Because, nevermind that xrumer is originally designed for forums and blog spam. Nevermind that. Take that idea and throw it out for a second.

The list [database] of Q&A's is a list telling spammers what possible answers is to this question(s). Are we clear on that? Okay, moving on.

MATCH that database to whatever account [insert site here] retreivable account info. You now have access to the account in question. Then from there, you have access to the actual forum, social network, or website account. By large, websites require you to have an e-mail address.

Based on what I pointed out earlier:

As my own person, I wouldn't do it, but you've got to consider the greater community of admins who aren't experienced with this stuff. So, you have to assume that this problem will go from forums, blogs, websites, to where their most important, their most treasured account.

That's the [kind of] scale that I'm talking about here.

That 850 million un-suspecting members that used generic answers to questions that should only be known to yourself... turns out to be a popular "Q&A* answer. Why? Because both the question, and the answer is in a database! Result: Many, many problems.

What you are saying makes sense for other sites and possibly some software that offer forgot your password questions Carlos, but it in no way has an application against xf directly and as far as I can tell, this thread is primarily about spam registrations related to xenforo.

Yeah, this thread was about xenforo, but the thread got off topic, people assume I'm confused and the topic has to go off topic.

 

[Sim]

The whole point of XenForo's Q&A is that a human CAN GUESS THE ANSWER. Otherwise it is kind of pointless.

The whole point of personal Q&A used for additional security on many sites is that is should be DIFFICULT for anyone to guess the answer.

There is a complete disconnect here between the two types of Q&A.

Let me draw you a venn diagram:




Examples of XenForo Q&A used to check you are human (these are Q&As I've used):

Q. what colour is the sky on a clear/cloudless day?
A. blue

Q. a zebra has stripes in two colours, they are black and _____?
A. white

Q. the capital city of Australia is?
A. Canberra

... these should be EASY for a human to guess. The fact that XRumer has them is annoying, but not a security hole.

Examples of personal Q&A used as additional security for sensitive information (not real examples I've used):

Q. your mother's maiden name:
A. Smith

Q. your father's middle name:
A. Fred

Q. your favourite band:
A. Coldplay (you can definitely see these are fake answers, because I would never ever use Coldplay as my favourite band - unless I was trying to be tricky and avoid social engineering!).

... these should be DIFFICULT for a human to guess. If XRumer has this information about you, it IS a security problem.

But that is totally irrelevant to XenForo, since it does not use this personal Q&A type information (at least not without a 3rd party add on).

XenForo Q&A is completely irrelevant to security debates - the answers to these questions are supposed to be common knowledge - otherwise people would not be able to get past them and access your forum.

All this being said (and I digress now) - I have a personal problem with these types of personal Q&A being used as additional security - things like my date of birth is often used as a security check, but there are a lot of people who know this information! Similarly, my full address. Even my mother's maiden name and my father's middle name are common knowledge to many people. Not all that difficult to get this information with a bit of social engineering or even in some cases, just some good Google searches!

If you really want additional security beyond a simple password, you really need to move to the realm of 2-factor authentication, then to access the information you need to not only know the password, but you need to be in possession of a trusted device as well. That's much more difficult to achieve for a hacker.

 

[Edrondol]

But see there's your problem. The questions from the Q&A on forums are not those that are used for social engineering. Asking a question like, "What's the third word in this sentence?" is not going to be something a bank or other institution uses as a failsafe for identification of users. The level of the questions are completely different and not even close to being the same. In addition, the Q&A questions are so that ANYONE can answer them while the institutions use specific information. It's really like saying you'll hack my bank account by reading my horoscope.

I think you are being a little dramatic. That's my opinion, of course, but when you are answering points you don't agree with by insulting the intelligence of the ones who disagree it tends to make you look a tad paranoid and condescending.

edit: And everything Sim said.

 

[Russ]

I think it should be a Call of Duty question, that usually solves everything

 

[Edrondol]

-heh- He said "duty".

 

[Carlos]

I think you are being a little dramatic. That's my opinion, of course, but when you are answering points you don't agree with by insulting the intelligence of the ones who disagree it tends to make you look a tad paranoid and condescending.

Who, me?

 

[Edrondol]

Who, me?

Unfortunately yes. You keep saying that those who disagree with you are missing the point or are not thinking straight when I feel - and again this is my opinion only - that we who do disagree have some valid reasons why.

 

[Sim]

The list [database] of Q&A's is a list telling spammers what possible answers is to this question(s). Are we clear on that? Okay, moving on.

MATCH that database to whatever account [insert site here] retreivable account info. You now have access to the account in question. Then from there, you have access to the actual forum, social network, or website account. By large, websites require you to have an e-mail address.

But you cannot have XenForo Q&A asking questions that only a single person should know the answer to. The questions you ask are not personal in nature - they can't be otherwise nobody would get in.

Similarly, when using Q&A for additional security, you can't use generic Q&As - it has to be personalised for the individual.

So I will never get asked for my mother's maiden name when registering on XenForo, because the forum can't possibly know the answer and have that in their database as a valid answer.

Similarly, my bank asking me what the capital city of Australia is, is not a very secure check, because I can assure you that millions of people know the answer to that question.

Two totally separate things.

 

[Sheldon]

Who, me?

Yes Neo, you are the One.

 

[Carlos]

these should be DIFFICULT for a human to guess. If XRumer has this information about you, it IS a security problem.

I said "EXACTLY!" Because that's what I've been saying all along. Though, like everyone else in this thread, you try to say I'm wrong...

But that is totally irrelevant to XenForo, since it does not use this personal Q&A type information (at least not without a 3rd party add on).

Actually, [I thought] it's a simple toggle on xenForo. I thought we've known this since day one?

XenForo Q&A is completely irrelevant to security debates - the answers to these questions are supposed to be common knowledge - otherwise people would not be able to get past them and access your forum.

Then, how does spammer get past them? There are some instances that spammers do get past the little question? Oh, like someone else said, the Q&A's get added to the database.

If you really want additional security beyond a simple password, you really need to move to the realm of 2-factor authentication, then to access the information you need to not only know the password, but you need to be in possession of a trusted device as well. That's much more difficult to achieve for a hacker.

I think everyone, including myself already know this.

Yes Neo, you are the One.

Try sarcasm one more time, and I will start reporting.

 

[Edrondol]

Of course, there are those who are insulting back, but...

 

[TPerry]

One of the easiest captcha's (interactive) I've found... and if you can figure it out then you have no business participating in a forum.

 

[Sim]

If you still don't get it, watch it happen in the next 5 or 10 years as companies, brands, websites fall behind the times. xrumer is going to be one of them.

This is going to be on TV news. This will be picked up on twitter, facebook, and any online news organization. You can expect a lot of account breaches. You heard it here first.

I don't think you understand how XRumer works.

It IS a database. It has all sorts of useful stuff in there - including URLs for forums and Q&As that will let their spambot software access those forums.

This information is not secure information only accessible by XRumer - it is information available to everyone who uses XRumer.

So it's not hackers getting this information in the future you need to worry about ... they already have access to it!

Do I care? No.

The XRumer database contains no personal information about me - that's not how it works.

Yes, it has the answers to my XenForo registration questions for all of my forums. But that is not information that can be used to do anything but register on my forums and post spam.

 

[Sim]

If XRumer has this information about you, it IS a security problem.

I said "EXACTLY!" Because that's what I've been saying all along. Though, like everyone else in this thread, you try to say I'm wrong...

You are wrong because this has nothing to do with XenForo, as per my examples above. There is no connection between the generic Q&As used by the XenForo registration process and the personal Q&As used to secure personal information.

XRumer will NOT get this personal information from your XenForo forum because XenForo does not collect this type of personal information about you.

Actually, [I thought] it's a simple toggle on xenForo. I thought we've known this since day one?

No - XenForo does not use personal Q&As to secure any information. The only Q&As used are generic for registration (and some guests permissions).

Then, how does spammer get past them? There are some instances that spammers do get past the little question? Oh, like someone else said, the Q&A's get added to the database.

Yes, the generic, useless Q&As like "what colour is the sky". They are all in XRumer's database. They are useless for anything but posting spam on forums.

 

[Edrondol]

 

[Carlos]

I don't think you understand how XRumer works.

Only 5 seconds of reading that wikipedia article earlier, actually, I do.

It IS a database. It has all sorts of useful stuff in there - including URLs for forums and Q&As that will let their spambot software access those forums.

See, that's even worse. I had not realized that scale until you just mention[ed] it. The way that I read that wikipedia article, is that this program doesn't just cover forums, blogs, article directories, it also covers e-mail addresses and whatnot.

This information is not secure information only accessible by XRumer - it is information available to everyone who uses XRumer.

So it's not hackers getting this information in the future you need to worry about ... they already have access to it!

If they have access to this information... then why...

Do I care? No.

You should. Because if you run a niche traffic gaming website like my network does, then they already know exactly what your favorite video game is. If that particular hacker knows the game well enough, he can get right in... just few seconds. Some hackers, use their intuition in the equation, too. I was watching this movie, and this character, who was is a hacker looks at the person's picture that was being stood right across from him. He goes "you filthy man." then types the password, lo and behold, he cracks the entry. My question at that time was "Is that even possible?"

 

[Sheldon]

I was watching this movie, and this character, who was is a hacker looks at the person's picture that was being stood right across from him. He goes "you filthy man." then types the password, lo and behold, he cracks the entry. My question at that time was "Is that even possible?"

Using a movie for you prime example is not helping your case. It's a movie for a reason.