NEED HELP: EuroGA under attack

Peter wrote:

Well, we sort of have but they were pretending to be not in Russia

How interesting. I wonder who!

(as in, I think I know but further comment not required).

Keep in mind the reason for the attacks is to get usernames and passwords of the accounts on the systems, which can be used to attack other systems. If you use the same username/email address/password on EuroGA and other sites, you are putting yourself at unnecessary risk.

No captcha and no message(s). Just can access the site (as a reader/lurker) or login as a user without any captcha or message.
If it helps: Tested on Chrome in an incognito window on a MacBook.

Peter wrote:

That won’t work on EuroGA because we absolutely do not store passwords, only hashes.

Give me your hashes and I’ll give you the clear text passwords. :)

I’ll be happy to help. 15+ years of experience working in tech (web development, servers), however not really into Ruby on Rails. But I think the problem is more related to the configuration of the server rather than the programming part.

Peter wrote:

That won’t work on EuroGA because we absolutely do not store passwords, only hashes.

That’s a dangerous assumption to make.

Firstly – how good are the hashes, and are they salted? If you’re using MD5 hashes, these are absolutely insecure. If they are using the MySQL password hashing function (which may have been improved these days so this may no longer be a factor for new password databases), then they are absolutely insecure. If the hashes are unsalted, even if the algorithm is good, this makes it trivial for the attacker who has stolen your user database to get all the passwords (see “rainbow tables”).

Then there’s how good the passwords are themselves. Short passwords are easy to brute force even when a good hashing algorithm and salts are used, dictionary based passwords (and close dictionary, such as using common substitutions, e.g. “p@ssw0rd” for “password”) are very easy to break. Once the attacker has your user database, all they have to do is run a dictionary of passwords against the hashes until matches are found, and this is a task that is embarrassingly parallelizable (in other words, if you also have a bunch of compromised home PCs in a botnet, they can be put to work).

They can then use the emails and cracked passwords in credential stuffing attacks.

Sites with good salted hashes can prevent against some of this by for example having a dictionary of known compromised passwords, and not allowing users to choose these as a password, and having minimum password length rules.

alioth wrote:

That’s a dangerous assumption to make.

Could not agree more.

Here’s what the bad guys do – they get a copy of your username and password database – these usernames are very often the user’s email address. 99.9999% of people use the same email address for all their accounts, and according to several credible sources, over 60% reuse the password. https://www.enzoic.com/blog/8-stats-on-password-reuse/

This means that the bad guys have a list of 1000 usernames and well-hashed passwords, they will probably crack about 10% of those, and about 60+% of those can be used to log into their facebook, gmail, and other systems. Once on these systems, they can find other places to hack.

Anyone who underestimates these bad guys does so at their peril. They are very persistent, intelligent, have good tools, and do this 8-10 hours a day. They only have to win once, and you have lost (all?) your money. You have to successfully defend against them 100s of times a day.