Windows Secrets newsletter site hacked!

Topic

New Reply

By Tracey Capen

Windows Secrets might be the source for all things Windows — including security. But even we’re not immune from hackers.

In the past couple of days, many of our subscribers reported receiving spam that appeared to come from Windows Secrets. But we can assure you, the e-mails did not come from us. We’ve always been committed to protecting our subscribers from unwanted junk mail — and we still are.

	INTRODUCTION Windows Secrets newsletter site hacked!

---

The full text of this column is posted at windowssecrets.com/introduction/windows-secrets-newsletter-site-hacked/ (paid content, opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

I wish to congratulate the Windows Secrets team on the way they handled this situation. My impression is a team that checks out a problem, evaluates solutions and takes action promptly. Congratulations and thanks for letting us know. Regards Richard L

Reply | Quote

I guess you nipped it in the bud quite fast since I didn’t receive any spam mail from you that I could recall (or my email put the junk in the Spam folder which I regularly delete). Thanks a heap for the heads up, but I pretty much use multivariations of my password for different sites and it’s a complex acronym to begin with so hopefully my other sites won’t get compromised. Thanks for the heads up on this situation too.

Reply | Quote

I hope you salted the passwords before they were hashed????

When I logged in to the Lounge I used the wrong password and it said I had used 2 attempts! Maybe the Lounge is also being attacked by hackers?

Reply | Quote

It seems that my password was changed/corrupted, as I could not log in:(. Fortunately the reset password system worked flawlessly:).

Reply | Quote

The admins at the Windows Secrets are taking all actions necessary to make out use as secure as is possible. This includes both the Newsletter and the Lounge. As you are aware these require 2 separate Log-Ons. I have taken the added precaution of changing both the Newsletter and Lounge PWs.

By the way if for some reason the Reset PW System for the Lounge does not work for you simply send a message in the Contact Us link on the Lounge and we can send you a PW Reset notification. Try the Reset PW System first.

Reply | Quote

I’m really happy that you were so forthcoming with this information. I received one SPAM message and now feel really bad that I didn’t report it. Sorry about that.

I’m glad you were able to stop this so quickly!

Reply | Quote

finalword, I just sent you an email about your signature. I hope you understand.
Ted

Reply | Quote

Your description started with one of your admin userid’s being hacked by “brute force password cracking”. What do you mean by this? Did they already have the hashed password file? Because no site these days allows multiple failed password attempts, so brute force should not work. Are you sure this wasn’t started some other way?

Reply | Quote

No kudos to the WS folks from me on this. WS must have had a WEAK Administrator password.

Every Administrator account deserves a strong password. Example: StrongPassword!Impossible2Crack*123. Brute Force hacker attempts would take literally MILLIONS of years to crack that password. Do the math.

Reply | Quote

I am with Millwood and JohnReam on this one. First thing that came to mine is *how* a brute force attack could be successful against a site that promotes strong security practices. No eat own dog food?

Reply | Quote

Your description started with one of your admin userid’s being hacked by “brute force password cracking”. What do you mean by this? Did they already have the hashed password file? Because no site these days allows multiple failed password attempts, so brute force should not work. Are you sure this wasn’t started some other way?

This. Was the account already compromised, or was it a brute force attack? How many bad passwords login attempts does the site allow? If there is a limit on the number of attempts, how were they able to brute force?

I can’t help feeling we are being fed nonsense by the WS team to whitewash their incompetence.

Reply | Quote

Thanks for the heads up especially doing it through the newsletter. This ensured it was genuine. No spam mails received and password now changed.

I did have problems signing in to the lounge though. I forgot my password and could no find a way to reset it. I spent over an hour trying to reset password and it was only luck that I found it eventually. Even contacting the lounge could find no evidence of me even though I had received a warning mail stating that someone had tried to access my account (myself trying wrong passwords).

Please moderators make a RESET password link beside the login link.

Reply | Quote

Thanks Medico
That is my problem. Trying to read something like (or similar) that. One of the reasons I use a lot of paragraphs is to break down the contents into manageable portions. I will keep a copy of the screenshot for future reference. If the reset link was on a separate line it would be easier for me to see and read. But ach! it makes life exciting having to puzzle things out :^_^:
Once again thanks

Reply | Quote

I am under the impression that a brute force attack can be blunted by limiting the number of incorrect attempts before locking the account. Am I misinformed? Was this type of protection not in place at WS?

WS regularly asserts that readers can rely on messages containing reader numbers since no third party could possibly know our reader numbers. Since reader numbers may have been compromised, does WS plan to change reader numbers and to use a new format that is easily differentiable from the old?

Thank you.

KNS

Reply | Quote

Ernie, See this thread. I hope it helps in the future, and for others.

Reply | Quote

Here is a great site about passwords for all concerned…
https://www.grc.com/haystack.htm

Reply | Quote

I just found the spam in my “junk mail folder” where Outlook had sent it. Between Gmail and Outlook I hardly ever see spam anymore but thanks for the heads up and keep up the good work

Reply | Quote

As noted, the WS password database was hashed. Please verify you also performed the basic security step of salting the hashes.

Most folks re-use passwords, that is just a fact of today’s computing world. If WS did not salt the hashed password file notice should be given to all subscribers that their passwords are likely now compromised possibly being distributed.

Reply | Quote

Medico
Thanks for the reply. Instructions followed. BUT if you forget your existing password the link to reset is not easy to find for someone like myself who is dyslexic.

Password now changed.

Reply | Quote

“Sept. 11: Using a brute-force password-cracking technique, a hacker gained access to the Windows Secrets website…”

To reiterate what I think others have mentioned, wouldn’t this only be possible if Windows Secrets were using a weak enough password to be vulnerable to brute-force cracking?

“As is common practice, we store passwords as hashes. That said, password-cracking apps can easily decode hashes…”

Really? How are these things possible, coming from an organization that constantly preaches the importance of implementing good security?

Reply | Quote

Like a lot of other members, I too am waiting to hear whether the hashed WS password file was salted, or not. Please be forthcoming with the information.

Reply | Quote

I also want to know
a clear answer to rdforbes’ question, (post above mine).

Were the Hashed PWDS in your file
[a] Salted or
Not Salted….?

This is critical to know.

Reply | Quote

I find it really surprising that this is for paid content readers only.

If, and I say if, the usernames & passwords have been compromised why would one need a paid subscription to know about this.

Reply | Quote

I don’t know where you got that info but I am not a paid subscriber and I think I found out about this as fast as the rest of you.

Reply | Quote

I wouldn’t hold your breath waiting for the Windows Secrets folks to reveal details about their past or present security practices. Hardly anyone who experiences a security breach these days goes into much detail about how it happened. Just saying the passwords were not salted (if this was the case) would give the thieves useful information. Saying that they were salted if this was the case would be less damaging, I would think.

Still, one is left wondering…

-- rc primak

Reply | Quote

Ernie, Glad you got things sorted out. If you forget your password this is what you will get when you enter a wrong password:

32004-LoungeForgottenPassword

I will add this to the Sticky Thread as well.

Reply | Quote

We need some excitement in our lives. Glad I could help with the puzzle.

Reply | Quote

“Windows Secrets newsletter site hacked!”

^^^^
THAT should have been your _SUBJECT_ – not just the Lead Story – inside this week’s newsletter, especially since the decision was made to _wait_ until a newletter was published before reporting it to your subscribers via email. We deserve better… What about those of us who don’t read the issue as soon as it lands in our Inbox, or visit the WS Forums often? How long until they know? Please, help me understand this.

I did receive a spam from WS address, on 09.17.2012 @ 3:45pm EDT, entitled “$50 for your first survey!” – the body of the message contained a URL to a dropbox.com address. I knew better, get spoofed email all the time. Not usually from one of my whitelisted addresses, though…

%*&! happens. What’s done is done. I believe in 2nd chances, will remain a subscriber… thanks for being transparent, I appreciate the explanation and can empathize with the sitz, but admit there is a trust loss.

I would, however, like to take this opportunity to respectfully suggest that someone @WS with decision-making authority about notifications when our data is at risk, change priority from damage control to up-front timeliness of notification. Hopefully, you’ll never have to do that, but if you do – PLEASE – Email us, flag it high priority, and put it in the subject line… not 2 pages into the newsletter!

Reply | Quote

Kager: The notice was made available as soon as we were able to disclose information as accurate as possible. When something like this happens, it takes time to investigate and understand what happened, then to relay that information. This security event is covered here in the lounge, in the newsletter, and on the windowssecrets.com homepage prominently on the right side. Some answers to your initial questions are listed if you go to the homepage and click the link to the latest statement we released, including the timeline of events.

Reply | Quote

I.M.O.G.

Thank you for your reply. I did read everything you referenced before posting initially… and believe the WS Crew generally does a fantastic job, this event notwithstanding.

We obviously have a difference of opinion on what figures prominently enough as far as notification, though – both on the web site (where the issue is featured in a relatively small, pinkish box regarding spam with a link to the full article)…

32007-wsprom

and – most importantly to me – in the emailed newsletter (where the subject line does not reference it, and seeing the article jump out at you requires scrolling down past the first page). That’s the fail in the notification process, as far as I am concerned, as I rarely visit the website or forums, depending almost entirely on the email newsletter for WS communication. I still hope you’ll change things should the need arise in the future.

Thanks for hearing me out…

Reply | Quote

Kager: The notice was made available as soon as we were able to disclose information as accurate as possible. When something like this happens, it takes time to investigate and understand what happened, then to relay that information. This security event is covered here in the lounge, in the newsletter, and on the windowssecrets.com homepage prominently on the right side. Some answers to your initial questions are listed if you go to the homepage and click the link to the latest statement we released, including the timeline of events.

:huh:

What isn’t covered on the website, etc. is an acknowledgment that the passwords were salted AND the salt was stored in a different location. If it’s true the password file wasn’t salted, then it’s unforgivable for an organization like Windows Secrets to be so lax in it’s security process.

Reply | Quote

:huh:

What isn’t covered on the website, etc. is an acknowledgment that the passwords were salted AND the salt was stored in a different location. If it’s true the password file wasn’t salted, then it’s unforgivable for an organization like Windows Secrets to be so lax in it’s security process.

Good questions.

Salt mitigates a rainbow table based attack, or a brute-force attack on hundreds or thousands of accounts. But it does nothing for a brute-force attack vector on a specific account. The announcement states a brute-force attack was used. An example of a brute-force attack is: They choose an account name, and they try 10 million passwords, hoping one is a match. If that is what they did, the salt wouldn’t matter.

Passwords are not stored in a file, but they are salty.

Reply | Quote

The announcement states a brute-force attack was used. An example of a brute-force attack is: They choose an account name, and they try 10 million passwords, hoping one is a match. If that is what they did, the salt wouldn’t matter.

But how can millions of passwords be tried online to gain the initial access unless recommended countermeasures like account lockout after 10 attempts have been disabled?

Brute-force attack Countermeasures

Bruce

Reply | Quote

It can happen to the best of us.

I’m glad WS had forth come with information on the compromise. However, I am with Millwood, JohnReam, and others on this issue. I am certain your passwords got a lot stronger then 4-5 characters and a limit on retries with substantial delays is incorporated. I did not get a spam email yet, but I am not holding my breath. I’ve heeded your advice and changed passwords.

I know it is hard admitting to inattention. However, a little info on old password strength and time it took to break in would be very educational to all of us. Perhaps a change of reader numbers would ease the clammy atmosphere hanging over us and WS.

Reply | Quote

Isn’t this horse dead yet?

Reply | Quote

Isn’t this horse dead yet?

Edited. My comments at the time are no longer relevant now that we have clarity on the details of the attack. Thanks to W.S. for revealing all they have.

Reply | Quote

It’s not dead because WS are using ambiguity, vagueness and other such whitewashing techniques to divert attention from the fact that they have not revealed the method of the break-in.

Given their usual approach of being highly investigative of other’s security misdeeds, I find their lack of honesty when it comes to their own back yard to be extremely hypocritical.

This is a statement that lacks any support in reality, in my opinion, am sorry to say it. Windows Secrets has been totally forthcoming and it has been so since the very beginning of this issue.

Reply | Quote

The problem appears to be solved. Everyone that has concerns should just change their passwords. This is a good thing to do regularly anyway.

Reply | Quote

BruceR: The user I replied to was asking if we salt passwords and how they are stored. We do salt. My example was for a simple demonstration of a targeted brute force attack, and why the salt wouldn’t matter in a situation like that one. Not an example of what happened here specifically.

Reply | Quote

BruceR: … My example was for a simple demonstration of a targeted brute force attack, and why the salt wouldn’t matter in a situation like that one. Not an example of what happened here specifically.

You were using the example to explain what could have happened here. How is what actually happened different?

Although salt may not have affected the administrator’s account being compromised; now the attacker has thousands of names and hashed passwords, it’s relevant, right?

Bruce

Reply | Quote

You were using the example to explain what could have happened here. How is what actually happened different?

Although salt may not have affected the administrator’s account being compromised; now the attacker has thousands of names and hashed passwords, it’s relevant, right?

Bruce

I don’t know how its different from what actually happened. I’m reading the same announcement you are.

I didn’t actually say the question about salt was irrelevant. I answered it to explain where salt is relevant and where it is not. In the attack vector that gained access to the site, salt didn’t matter – it was a brute force attack on a page that didn’t limit the number of failed login attempts (note the update to the announcement, failed logins are limited on that page now). If the attacker was interested in, and was able to export hashed passwords, the salt does matter.

It’s not dead because WS are using ambiguity, vagueness and other such whitewashing techniques to divert attention from the fact that they have not revealed the method of the break-in.

Given their usual approach of being highly investigative of other’s security misdeeds, I find their lack of honesty when it comes to their own back yard to be extremely hypocritical.

It was a brute force login attack on a page that didn’t limit the number of failed login attempts from a specific IP (this information is available in the announcement I linked above). I believe the best effort has been made at being entirely transparent as soon as possible with as much information as is understood. I hope this helps clarify.

Reply | Quote

Thanks I.M.O.G., that is exactly what we were wondering about, in terms of how it was possible. I’ll be upfront now and reveal one of the websites under my control does not limit the number of attempts either. You can be sure I’ll be fixing that now. Although, I do wish it were likely to have the same level of page hits and attention that the W.S. site does I have now edited my post and withdrawn my remark as it is no longer true. Please feel free to edit yours to “unquote” me (is there such a word?) if you wish.

Reply | Quote

I don’t know how its different from what actually happened. I’m reading the same announcement you are.

From your “We do salt.”, it didn’t seem as though you were dependent on the same source of information as the rest of us.

But now from the updated announcement we both know that there was no difference between your example and the actual brute force attack with no countermeasures in place.

I didn’t actually say the question about salt was irrelevant.

“If that is what they did, the salt wouldn’t matter.” sounded like it.

If the attacker was interested in, and was able to export hashed passwords, the salt does matter.

The attacker was able to export our email addresses easily enough. Why would hashed passwords be any more difficult?

Nobody expects the ………. oh, wait …

Bruce

Reply | Quote

From your “We do salt.”, it didn’t seem as though you were dependent on the same source of information as the rest of us.

Gotcha. I’m familiar with the platform we run on, so I knew the salt answer – anyone who knows what runs WindowsSecrets could know it as well. The newsletter side is based on WordPress, which salts passwords. The lounge side runs vBulletin, which also salts passwords. Since I knew that, thats why I posted it.

But now from the updated announcement we both know that there was no difference between your example and the actual brute force attack with no countermeasures in place.

I wasn’t the one who researched what happened, as I don’t have direct access to any of the logs or anything else related to the issue. I wouldn’t ever intentionally state something as a fact unless I was certain it was the case. Especially in a situation like this where every word is dissected. Erring on the side of caution, turns out my inferences were accurate.

The attacker was able to export our email addresses easily enough. Why would hashed passwords be any more difficult?

Nobody expects the ………. oh, wait …

Bruce

I could think of several reasons. Last time I gave you an example you only gave me more grief though. lol

Reply | Quote

any way the title of this post is windows secrets newsletter was haked, it was not the newsletter but all the website,

The title of this thread, and the article/announcement, all include the word “site”.

I dont know because no admin sayd but our passwords were in plain text?

This thread, and the article/announcement, all confirm that our passwords were not stored in plain text.

Bruce

Reply | Quote

Looks like they have fixed it now. The link given on the first page has changed, and is now 404, the working link is
windowssecrets.com/introduction/the-windows-secrets-newsletter-site-hacked/

and it is available for all not just paid subscribers. I imagine they are just waiting for Tracey to return to update the link in that post.

Reply | Quote