Change Your BMWMOA Password Now! - K-Bikes.com - Excellence in Motion
Reply
 
LinkBack Thread Tools Display Modes
post #1 of 11 (permalink) Old Feb 2nd, 2012, 12:04 am Thread Starter
Veteran
 
Join Date: Jul 2007
Location: Anaheim, CA, USA
Posts: 1,397
Change Your BMWMOA Password Now!

If you are a BMWMOA member, you should go to the BMWMOA website and change your password. Pay special attention where they advise you to change passwords on other websites where you use the same or similar passwords. Here is the text of the announcement from BMWMOA:

Forum Database Leaked
---------------------------------------------
The club administration has become aware that our forum's database has been obtained and leaked. This thread provides the information that we have about the event and advice about how to handle it.

Apparently someone was able to download part or all of the live database around January 27th. We became aware of this yesterday (1/30). A conference call was held this morning to discuss the situation, between Club President Greg Feeler, Executive Director Ray Zimmerman, IT administrator Jeff Betz, Forum Administrator Kurt Schrader and me, Forum Liaison Darryl Richman.

We have determined that forum user names and associated email addresses were leaked, as well as one-way encrypted hash codes of forum passwords. Other forum related information was probably downloaded as well, but we do not have direct evidence of this.

Unfortunately, this probably means that all our members will now receive more spam mail at their registered email address.

Beyond that, the password hash codes are difficult -- but not impossible -- to break. Some techniques that the bad guys use may quickly break some weak passwords.

We highly recommend that you change your password here, and anywhere else you use the same or similar passwords, especially on sites that may have your financial information.

We are now in the process of sending an email to every member in the database to warn them that they should change their password.

Because a member's username and password provide access to the club functions on the website as well as the forum, someone could impersonate a member. We think this is unlikely because the club's website does not keep any financial information that can be used to make purchases.

We are also trying to determine how the leak was accomplished and determine how to secure it from this exploit. We expect to update this thread with progress on this soon.

I am leaving this topic locked so that any additional information we learn can be readily disseminated. Please use this other thread for discussion.

Thanks for your patience.
__________________
--Darryl Richman, forum liaison

..............................................

The club began a mass emailing this afternoon to alert all members that they should change their passwords. The mail is going out through a mailing service, so I'm not sure how long it will take to plow through ~40,000 emails.
__________________
--Darryl Richman, forum liaison
XMagnaRider is offline  
Sponsored Links
Advertisement
 
post #2 of 11 (permalink) Old Feb 2nd, 2012, 12:09 am Thread Starter
Veteran
 
Join Date: Jul 2007
Location: Anaheim, CA, USA
Posts: 1,397
Here is a link to the BMWMOA thread. You must have a BMWMOA account to see it:

http://www.bmwmoa.org/forum/showthread.php?p=745033
XMagnaRider is offline  
post #3 of 11 (permalink) Old Feb 2nd, 2012, 5:01 pm
Member
 
K13GT's Avatar
 
Join Date: Nov 2009
Location: P-Town, Cali, USA
Posts: 76
Posted this on the BMWMOA thread:
http://www.bmwmoa.org/forum/showthread.php?t=58114

As others have stated: "Do Not Use the same password on multiple sites and if you do change all those to uniquely different passwords".

What concerns me with the BMWMOA site is unless the vulnerabilities associated with vBulletin, PHP, mySQL, and CGI abuses (and possibly other web related apps, etc.) are addressed changing ones password really isn't going to do much. Yes, you have a new "lock" on the front door but the back door is still open.

Has BMWMOA ever done a vulnerability assessment of their (our) web site? If not, might be a good time to start doing it on a routine basis and address (patch) any outstanding issues.



Ok, as for this site looks like we're running an old version of "vBulletin 3.0.9" which has issues. I believe that incremental updates (within the version range) of vBullentin are free as long as the license is valid, correct? Upgrading to the most current version (4.0) would probably incur a cost.

Do our "Mods" do any vulnerability assessments?

Thought? Concerns?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1980 FXB STURGIS
2010 K1300 GT

2011 K1300 S
K13GT is offline  
Sponsored Links
Advertisement
 
post #4 of 11 (permalink) Old Feb 3rd, 2012, 5:34 am Thread Starter
Veteran
 
Join Date: Jul 2007
Location: Anaheim, CA, USA
Posts: 1,397
Quote:
Originally Posted by K13GT
Posted this on the BMWMOA thread:
http://www.bmwmoa.org/forum/showthread.php?t=58114

As others have stated: "Do Not Use the same password on multiple sites and if you do change all those to uniquely different passwords".

What concerns me with the BMWMOA site is unless the vulnerabilities associated with vBulletin, PHP, mySQL, and CGI abuses (and possibly other web related apps, etc.) are addressed changing ones password really isn't going to do much. Yes, you have a new "lock" on the front door but the back door is still open.

Has BMWMOA ever done a vulnerability assessment of their (our) web site? If not, might be a good time to start doing it on a routine basis and address (patch) any outstanding issues.



Ok, as for this site looks like we're running an old version of "vBulletin 3.0.9" which has issues. I believe that incremental updates (within the version range) of vBullentin are free as long as the license is valid, correct? Upgrading to the most current version (4.0) would probably incur a cost.

Do our "Mods" do any vulnerability assessments?

Thought? Concerns?
Thoughts: Get real. The mods probably do not cover their costs for bandwidth, let alone a vulnerability assessment. Nor do they have the time. Instead, the members should assess the risks vs. value of the website in case the website is compromised. Assume that the website is vulnerable. Nobody is forcing you to be a member, you know.

Concerns: Few. I have separate, unique, strong, random passwords for each website I use, and always have. If someone takes over the k-bikes.com website or my k-bikes account, they will get little information, including a throwaway email address. I hope they give better motorcycle advice than me.

(The purpose of the above is not to boast, but serve as an example for others.)

The primary reason I started this thread is to warn my friends who are more exposed, especially those who use the same usernames and weak passwords at BMWMOA and other websites, especially if they use them to access medical or financial accounts.

Last edited by XMagnaRider; Feb 3rd, 2012 at 10:12 am. Reason: Corrected typo
XMagnaRider is offline  
post #5 of 11 (permalink) Old Feb 3rd, 2012, 5:44 pm
Member
 
K13GT's Avatar
 
Join Date: Nov 2009
Location: P-Town, Cali, USA
Posts: 76
Quote:
Originally Posted by XMagnaRider
Thoughts: Get real. The mods probably do not cover their costs for bandwidth, let alone a vulnerability assessment. Nor do they have the time. Instead, the members should assess the risks vs. value of the website in case the website is compromised. Assume that the website is vulnerable. Nobody is forcing you to be a member, you know.

Concerns: Few. I have separate, unique, strong, random passwords for each website I use, and always have. If someone takes over the k-bikes.com website or my k-bikes account, they will get little information, including a throwaway email address. I hope they give better motorcycle advice than me.

(The purpose of the above is not to boast, but serve as an example for others.)

The primary reason I started this thread is to warn my friends who are more exposed, especially those who use the same usernames and weak passwords at BMWMOA and other websites, especially if they use them to access medical or financial accounts.
Get Real?! That's exactly the point, Get Real. Strong passwords are only one aspect.
Just because you've got a strong password and a bunch of disposable email addresses won't stop your box from being "whack" when you go to your favorite forum that's been hacked and is now redirecting you to a malicious site and that site has now dropped a Trojan on your box and pulled all your personal data off.

So, why shouldn't members of a forum be concerned about the "health and well being" of a site they participate in? You yourself said "I started this thread is to warn my friends who are more exposed..."

Why isn't discussing issues that may help a prospective / current forum member better understand "their individual risks" as to whether or not they wish to join or remain a member of value?

It would also be of more value for the Mods/Admins to say what they can or can't do with regard to maintaining the site (and yes that includes the cyber security aspects too) than for someone else to just speculate on.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1980 FXB STURGIS
2010 K1300 GT

2011 K1300 S
K13GT is offline  
post #6 of 11 (permalink) Old Feb 3rd, 2012, 10:58 pm Thread Starter
Veteran
 
Join Date: Jul 2007
Location: Anaheim, CA, USA
Posts: 1,397
Quote:
Originally Posted by K13GT
Get Real?! That's exactly the point, Get Real. Strong passwords are only one aspect.
Just because you've got a strong password and a bunch of disposable email addresses won't stop your box from being "whack" when you go to your favorite forum that's been hacked and is now redirecting you to a malicious site and that site has now dropped a Trojan on your box and pulled all your personal data off.

So, why shouldn't members of a forum be concerned about the "health and well being" of a site they participate in? You yourself said "I started this thread is to warn my friends who are more exposed..."

Why isn't discussing issues that may help a prospective / current forum member better understand "their individual risks" as to whether or not they wish to join or remain a member of value?

It would also be of more value for the Mods/Admins to say what they can or can't do with regard to maintaining the site (and yes that includes the cyber security aspects too) than for someone else to just speculate on.
I read your reply carefully. I have nothing further to add.
XMagnaRider is offline  
post #7 of 11 (permalink) Old Feb 4th, 2012, 5:26 am
Addict
 
Join Date: Mar 2004
Location: , , UK
Posts: 3,750
That is the point. You should never rely 100% on any IT system to be secure. There is no Guardian Angel or Law watching over your private interests and everybody will say their system is secure when asked. You have to take ownership of your security by using strong passwords and changing them. I change my credit cards every year because so much info sticks around on servers which can either get hacked or old hard drives end up in dumps and on auction sites waiting to be read. Prioritise your security methods according to the risks, with financial services at the very top and general chat or social boards lower down. Be careful using social networking sites - There are many state, criminal and commercial clones of 'Big Brother' hoovering up your Internet data, however innocent it appears, and linking it together for their own ends.

I've not followed the details of the BMWMOA problem, but most login passwords created by users and especially under SSL, are never stored on servers in their raw human readable format. But there always seems a way around everything these days. If a board can 'restore' a lost password same as before, then there's a back door. If the user/member is offered a temporary login password to be changed, then that sounds more secure.

I thought it rather true to life when I read the UK cops were talking to the US cops about a hacking group with a mission to expose secrecy, mentioning names of those involved. Their conversation was apparently hacked, recorded and published. Now both sides are 'investigating' . If the back door is left open, then once'it's gone it's too late.



Never pay again for live sex! | Hot girls doing naughty stuff for free! | Chat for free!
voxmagna is offline  
post #8 of 11 (permalink) Old Feb 4th, 2012, 11:32 am
Noob
 
Join Date: Feb 2012
Location: ST Charles, Il, USA
Posts: 15
Quote:
Originally Posted by XMagnaRider
Here is a link to the BMWMOA thread. You must have a BMWMOA account to see it:

http://www.bmwmoa.org/forum/showthread.php?p=745033
You might have to be a member to see the info, but you don't have to be a member to have your information stolen. I dropped my membership several years ago when the Board deemed it necessay to give a 25% hike in dues to help keep the club portfolio looking good, but they kept all my information in their data base and they have informed me that my information has been compromised. Maybe they should take some of the portfolio money and make sure the mebership info is properly proteced.
mikesbikes is offline  
post #9 of 11 (permalink) Old Feb 4th, 2012, 1:21 pm
Addict
 
Join Date: Mar 2004
Location: , , UK
Posts: 3,750
You have different Laws to us in the US.

In UK (may be EU wide) we have Data Protection Laws. If companies don't look after your data properly they can be fined and more importantly if there is no good reason to keep your data and they do, they can be fined on that too. Resigning a membership or a UK forum signup is a classic example where there should be no data kept afterwards. There is an exception and that applies to Financial records they keep for 6 years. But even that should be secure. However as said before, don't assume somebody will look after you (and your data).

Keep changing your name, email addresses and move house every year! If you think about how much data about you is out there, 'going dark' is quite difficult. It won't be long before we are all implanted with a bio microchip at birth with satellites tracking our every movement.



Never pay again for live sex! | Hot girls doing naughty stuff for free! | Chat for free!
voxmagna is offline  
post #10 of 11 (permalink) Old Feb 6th, 2012, 10:22 pm
Noob
 
diethornig's Avatar
 
Join Date: Feb 2012
Location: Berlin, Germany, Europe
Posts: 12
AAaggghhh.. That is too much for high technology!
diethornig is offline  
Reply

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the K-Bikes.com - Excellence in Motion forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in










Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page
Display Modes
Linear Mode Linear Mode



Similar Threads
Thread Thread Starter Forum Replies Last Post
Would u still change oil annually if u do 1000 miles a year? Lotus99 K12/1300S 5 Jul 13th, 2011 12:57 pm
World's longest password JCW Humor 0 Mar 17th, 2011 10:18 am
extending final drive oil change? MN.GT K12/1300GT (Next Gen) 23 Aug 10th, 2010 2:32 pm
Change your Diff Oil! ccii42104 K12/1300GT (Next Gen) 20 Jun 22nd, 2008 1:24 am
Clutch engagement after an oil change Nexus-6 K12/1300GT (Next Gen) 9 Oct 29th, 2007 9:51 pm

Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome