BMW K1200, K1300, and K1600 Forum banner

1 - 11 of 11 Posts

·
Premium Member
Joined
·
1,397 Posts
Discussion Starter #1
If you are a BMWMOA member, you should go to the BMWMOA website and change your password. Pay special attention where they advise you to change passwords on other websites where you use the same or similar passwords. Here is the text of the announcement from BMWMOA:

Forum Database Leaked
---------------------------------------------
The club administration has become aware that our forum's database has been obtained and leaked. This thread provides the information that we have about the event and advice about how to handle it.

Apparently someone was able to download part or all of the live database around January 27th. We became aware of this yesterday (1/30). A conference call was held this morning to discuss the situation, between Club President Greg Feeler, Executive Director Ray Zimmerman, IT administrator Jeff Betz, Forum Administrator Kurt Schrader and me, Forum Liaison Darryl Richman.

We have determined that forum user names and associated email addresses were leaked, as well as one-way encrypted hash codes of forum passwords. Other forum related information was probably downloaded as well, but we do not have direct evidence of this.

Unfortunately, this probably means that all our members will now receive more spam mail at their registered email address.

Beyond that, the password hash codes are difficult -- but not impossible -- to break. Some techniques that the bad guys use may quickly break some weak passwords.

We highly recommend that you change your password here, and anywhere else you use the same or similar passwords, especially on sites that may have your financial information.

We are now in the process of sending an email to every member in the database to warn them that they should change their password.

Because a member's username and password provide access to the club functions on the website as well as the forum, someone could impersonate a member. We think this is unlikely because the club's website does not keep any financial information that can be used to make purchases.

We are also trying to determine how the leak was accomplished and determine how to secure it from this exploit. We expect to update this thread with progress on this soon.

I am leaving this topic locked so that any additional information we learn can be readily disseminated. Please use this other thread for discussion.

Thanks for your patience.
__________________
--Darryl Richman, forum liaison

..............................................

The club began a mass emailing this afternoon to alert all members that they should change their passwords. The mail is going out through a mailing service, so I'm not sure how long it will take to plow through ~40,000 emails.
__________________
--Darryl Richman, forum liaison
 

·
Registered
Joined
·
76 Posts
Posted this on the BMWMOA thread:
http://www.bmwmoa.org/forum/showthread.php?t=58114

As others have stated: "Do Not Use the same password on multiple sites and if you do change all those to uniquely different passwords".

What concerns me with the BMWMOA site is unless the vulnerabilities associated with vBulletin, PHP, mySQL, and CGI abuses (and possibly other web related apps, etc.) are addressed changing ones password really isn't going to do much. Yes, you have a new "lock" on the front door but the back door is still open.

Has BMWMOA ever done a vulnerability assessment of their (our) web site? If not, might be a good time to start doing it on a routine basis and address (patch) any outstanding issues.



Ok, as for this site looks like we're running an old version of "vBulletin 3.0.9" which has issues. I believe that incremental updates (within the version range) of vBullentin are free as long as the license is valid, correct? Upgrading to the most current version (4.0) would probably incur a cost.

Do our "Mods" do any vulnerability assessments?

Thought? Concerns?
 

·
Premium Member
Joined
·
1,397 Posts
Discussion Starter #4 (Edited)
K13GT said:
Posted this on the BMWMOA thread:
http://www.bmwmoa.org/forum/showthread.php?t=58114

As others have stated: "Do Not Use the same password on multiple sites and if you do change all those to uniquely different passwords".

What concerns me with the BMWMOA site is unless the vulnerabilities associated with vBulletin, PHP, mySQL, and CGI abuses (and possibly other web related apps, etc.) are addressed changing ones password really isn't going to do much. Yes, you have a new "lock" on the front door but the back door is still open.

Has BMWMOA ever done a vulnerability assessment of their (our) web site? If not, might be a good time to start doing it on a routine basis and address (patch) any outstanding issues.



Ok, as for this site looks like we're running an old version of "vBulletin 3.0.9" which has issues. I believe that incremental updates (within the version range) of vBullentin are free as long as the license is valid, correct? Upgrading to the most current version (4.0) would probably incur a cost.

Do our "Mods" do any vulnerability assessments?

Thought? Concerns?
Thoughts: Get real. The mods probably do not cover their costs for bandwidth, let alone a vulnerability assessment. Nor do they have the time. Instead, the members should assess the risks vs. value of the website in case the website is compromised. Assume that the website is vulnerable. Nobody is forcing you to be a member, you know.

Concerns: Few. I have separate, unique, strong, random passwords for each website I use, and always have. If someone takes over the k-bikes.com website or my k-bikes account, they will get little information, including a throwaway email address. I hope they give better motorcycle advice than me.

(The purpose of the above is not to boast, but serve as an example for others.)

The primary reason I started this thread is to warn my friends who are more exposed, especially those who use the same usernames and weak passwords at BMWMOA and other websites, especially if they use them to access medical or financial accounts.
 

·
Registered
Joined
·
76 Posts
XMagnaRider said:
Thoughts: Get real. The mods probably do not cover their costs for bandwidth, let alone a vulnerability assessment. Nor do they have the time. Instead, the members should assess the risks vs. value of the website in case the website is compromised. Assume that the website is vulnerable. Nobody is forcing you to be a member, you know.

Concerns: Few. I have separate, unique, strong, random passwords for each website I use, and always have. If someone takes over the k-bikes.com website or my k-bikes account, they will get little information, including a throwaway email address. I hope they give better motorcycle advice than me.

(The purpose of the above is not to boast, but serve as an example for others.)

The primary reason I started this thread is to warn my friends who are more exposed, especially those who use the same usernames and weak passwords at BMWMOA and other websites, especially if they use them to access medical or financial accounts.
Get Real?! That's exactly the point, Get Real. Strong passwords are only one aspect.
Just because you've got a strong password and a bunch of disposable email addresses won't stop your box from being "whack" when you go to your favorite forum that's been hacked and is now redirecting you to a malicious site and that site has now dropped a Trojan on your box and pulled all your personal data off.

So, why shouldn't members of a forum be concerned about the "health and well being" of a site they participate in? You yourself said "I started this thread is to warn my friends who are more exposed..."

Why isn't discussing issues that may help a prospective / current forum member better understand "their individual risks" as to whether or not they wish to join or remain a member of value?

It would also be of more value for the Mods/Admins to say what they can or can't do with regard to maintaining the site (and yes that includes the cyber security aspects too) than for someone else to just speculate on.
 

·
Premium Member
Joined
·
1,397 Posts
Discussion Starter #6
K13GT said:
Get Real?! That's exactly the point, Get Real. Strong passwords are only one aspect.
Just because you've got a strong password and a bunch of disposable email addresses won't stop your box from being "whack" when you go to your favorite forum that's been hacked and is now redirecting you to a malicious site and that site has now dropped a Trojan on your box and pulled all your personal data off.

So, why shouldn't members of a forum be concerned about the "health and well being" of a site they participate in? You yourself said "I started this thread is to warn my friends who are more exposed..."

Why isn't discussing issues that may help a prospective / current forum member better understand "their individual risks" as to whether or not they wish to join or remain a member of value?

It would also be of more value for the Mods/Admins to say what they can or can't do with regard to maintaining the site (and yes that includes the cyber security aspects too) than for someone else to just speculate on.
I read your reply carefully. I have nothing further to add.
 

·
Addict
Joined
·
3,750 Posts
That is the point. You should never rely 100% on any IT system to be secure. There is no Guardian Angel or Law watching over your private interests and everybody will say their system is secure when asked. You have to take ownership of your security by using strong passwords and changing them. I change my credit cards every year because so much info sticks around on servers which can either get hacked or old hard drives end up in dumps and on auction sites waiting to be read. Prioritise your security methods according to the risks, with financial services at the very top and general chat or social boards lower down. Be careful using social networking sites - There are many state, criminal and commercial clones of 'Big Brother' hoovering up your Internet data, however innocent it appears, and linking it together for their own ends.

I've not followed the details of the BMWMOA problem, but most login passwords created by users and especially under SSL, are never stored on servers in their raw human readable format. But there always seems a way around everything these days. If a board can 'restore' a lost password same as before, then there's a back door. If the user/member is offered a temporary login password to be changed, then that sounds more secure.

I thought it rather true to life when I read the UK cops were talking to the US cops about a hacking group with a mission to expose secrecy, mentioning names of those involved. Their conversation was apparently hacked, recorded and published. Now both sides are 'investigating' . If the back door is left open, then once'it's gone it's too late.



Never pay again for live sex! | Hot girls doing naughty stuff for free! | Chat for free!
 

·
Registered
Joined
·
15 Posts
XMagnaRider said:
Here is a link to the BMWMOA thread. You must have a BMWMOA account to see it:

http://www.bmwmoa.org/forum/showthread.php?p=745033
You might have to be a member to see the info, but you don't have to be a member to have your information stolen. I dropped my membership several years ago when the Board deemed it necessay to give a 25% hike in dues to help keep the club portfolio looking good, but they kept all my information in their data base and they have informed me that my information has been compromised. Maybe they should take some of the portfolio money and make sure the mebership info is properly proteced.
 

·
Addict
Joined
·
3,750 Posts
You have different Laws to us in the US.

In UK (may be EU wide) we have Data Protection Laws. If companies don't look after your data properly they can be fined and more importantly if there is no good reason to keep your data and they do, they can be fined on that too. Resigning a membership or a UK forum signup is a classic example where there should be no data kept afterwards. There is an exception and that applies to Financial records they keep for 6 years. But even that should be secure. However as said before, don't assume somebody will look after you (and your data).

Keep changing your name, email addresses and move house every year! If you think about how much data about you is out there, 'going dark' is quite difficult. It won't be long before we are all implanted with a bio microchip at birth with satellites tracking our every movement.



Never pay again for live sex! | Hot girls doing naughty stuff for free! | Chat for free!
 

·
Registered
Joined
·
12 Posts
I'm a new member, just wanted to say I joined bmwmoa last week and the next day my email was shut down by msn/hotmail. Someone hacked it and sent a bunch of junk to a couple million people, or whatever. Had to start it over, pain in the toot.......anyway thats it and Ill do a proper intro today......
 
1 - 11 of 11 Posts
Top