MichaelDance
Well-known member
I use AreYouAHuman and I don't get any spam.
Spammers still getting through registration
- Thread starter Carlos
- Start date
- Status
Carlos
Well-known member
Again. This is not restricted to forums. WIDEN YOUR SCOPE. Open your eyes.
Knowing your Q&A is exactly like a key to your front door.
You'd think that a PLAYSTATION or XBOX gaming network won't be hacked, but look at it now. Xbox Live was hacked, and PlayStation Network was hacked.
Ay, you know what, since I was inspired: PlayStation 3's key was not exactly a secret to anyone who knew how to open their own hardware, but when you put it in the hands of a hacker (GeoHotz in this example) you can do whatever you want with that key, including breaking the whole system wide open, then into the actual PlayStation Network server.
Adam Howard
Well-known member
@Carlos
There was recently an add-on that allowed members to recover their account by setting up their own Q & A for their account.
Are you by chance maybe referring to this add-on and maybe getting confused?
There was recently an add-on that allowed members to recover their account by setting up their own Q & A for their account.
Are you by chance maybe referring to this add-on and maybe getting confused?
Adam Howard
Well-known member
@Carlos
This is the add-on in question
http://xenforo.com/community/resources/*******-reset-password-using-secret-question.1328/
I would assume in theory, that if a user made their Q & A real simple and easy to guess, then yes, someone could get a hold of their account and through this know their e-mail address (the one that was associated with that account).
Is this by chance what you are talking about?
Carlos
Well-known member
*nods* mmmhm!
Now, take that idea and have a thousand (ahem; millions of) Q&A submissions in your hands.
Nope. My whole point is that Q&A isn't really good.
Let's say my favorite game of last year was Modern Warfare 2, and the Q&A has a question from that game (I.E. Modern Warfare 2 in this instance), and a generic answer such as Special Forces (widely known, right?)... I put my favorite game in another service's Q&A like... "My favorite game is..." MW2. Hacker has access to my... e-mail account.
*facepalm.*
Adam Howard
Well-known member
Self made Q & A's are a little like passwords... You don't want to reuse them and you don't want them to be so simple.
In your "example" the fault would be your own. And overall, has nothing to do with XenForo.
Because in your example, the e-mail address would be on another server. And if you're using the same Q & A, that's just poor security on your part.
But I do agree in that I don't personally like Q & A's, but not for the reasons you've given.
Mike Edge
Well-known member
That's your own fault then for using the same secret question at two different places.
Carlos
Well-known member
Ladies and gentlemen, we have a winner.
Adam Howard
Well-known member
I'm going to ask this very politely. And I mean no disrespect at all.
Is English your native language?
I only ask because it sometimes does seem as though you really take the long way around in explaining things. Which isn't exactly your fault and I'm not blaming you.
I'm just noticing that sometimes you're not as clear and direct to the point. And I'm wondering if that could be the reason why people have a hard time following you.
Carlos
Well-known member
English is my native language, but people just don't understand where I'm going. I try to make a point, but people just think I've got all things confused. 
That's the [kind of] scale that I'm talking about here.
As my own person, I wouldn't do it, but you've got to consider the greater community of admins who aren't experienced with this stuff. So, you have to assume that this problem will go from forums, blogs, websites, to where their most important, their most treasured account.
That's the [kind of] scale that I'm talking about here.
Adam Howard
Well-known member
OK. Thank you for answering my questions.English is my native language, but people just don't understand where I'm going. I try to make a point, but people just think I've got all things confused.
I had a friend who talked or wrote in such a manner. Which is likely why I understood you fairly quickly.
They wouldn't exactly come out and say the answer to something, but rather they would touch it around the edge and dance around the bush in hopes that the other person would connect the dots.
It can be frustrating to others though.
And I usually only do it myself, when the point I'm trying to make is fairly obvious (when the writing is on the wall).
When it comes to technology, such kind of writing styles (ways of speaking) do get lost easily in translation. Its why when I talk on The Internet, I try to make it as clear as possible (usually).
Edrondol
Well-known member
You are far more likely to be socially engineered (which is what Carlos is talking about) from those stupid Facebook "tell me about yourself" polls than a Q&A on a forum. The Q&A's on a forum are for single-point identification of the humanity of someone trying to register. No question would be, "What is my favorite sports team?" which could then be used for social engineering. That's a real stretch.
Carlos
Well-known member
I'm not exactly trying to go around the bushes, it's just that sometimes... It's better to prove a point, like the whole point, instead of just writing the obvious on the wall. I don't want to encourage what I'm saying [would happen]. Thing is, hackers prey on stupid, in-experienced, un-suspecting individuals.
It's like this, there was a report that hackers stole as much as $45 million all around the world because people are using ATM's that are not thoroughly secure. One bank even goes as far as allowing you to withdraw hundreds of thousands of dollars in a single ATM transaction. And in most cases, people don't realize these transactions are taking place right across the #@^&ing street. I feel bad for those in asia.
Adam Howard
Well-known member
I don't think its to far outside the box.
I recall Paypal having pre-made questions to which you would supply the answer to. I'm not sure if they still do it that way or not. I'm fairly sure they don't any more (this was years ago).
I believe my ISP (internet service provider) uses such pre-made questions. Of course I much prefer to avoid sites like that.
If anyone is stupid enough to reuse one for their forum (or anywhere else).... Well... Stupid is as stupid does.
Edrondol
Well-known member
Right, but the questions asked for Q&A at a forum are general in nature whereas the ones for social engineering are almost always specific to the person attempting to access their account. So I really fail to see the intersection of the two mediums except in extremely rare circumstances.
Biker
Well-known member
This whole thing reminds me of when ZoneAlarm first hit the streets and included a template to email back to providers that showed up in the logs. The problem is, EVERYTHING was getting logged and people were sending emails back to their own ISP asking why there were hacking attempts on their computer.
Oh? Those hits that were getting logged? DNS responses on port 53. It's for that very reason ISPs and hosting companies started to ignore those emails (rightfully so).
So now we have a bot that uses a database to answer simple Q&A responses on websites. And some are "ZOMG I'm gonna get hacked!" again.
If you're using the same question and answer from your forum on your email account, bank account, mistress account, whatever account, you deserve to get nailed. Just pack up your computer and send it back to the manufacturer for all our sake.
Oh? Those hits that were getting logged? DNS responses on port 53. It's for that very reason ISPs and hosting companies started to ignore those emails (rightfully so).
So now we have a bot that uses a database to answer simple Q&A responses on websites. And some are "ZOMG I'm gonna get hacked!" again.
If you're using the same question and answer from your forum on your email account, bank account, mistress account, whatever account, you deserve to get nailed. Just pack up your computer and send it back to the manufacturer for all our sake.
Sheldon
Well-known member
Honestly, after reading all of these posts, I still fail to see what point you are proving. Don't take that the wrong way, but you have went in so many directions with this, you never fully tied up one point.
Carlos
Well-known member
You think I went in many direction. I think they're all relevant.
Open. Your. Eyes.To that, I respond:
If you still don't get it, watch it happen in the next 5 or 10 years as companies, brands, websites fall behind the times. xrumer is going to be one of them.
This is going to be on TV news. This will be picked up on twitter, facebook, and any online news organization. You can expect a lot of account breaches. You heard it here first.
- Status
