# PFK Website Compromised



## 2pods (4 Dec 2009)

I've just had an email from Matt @ PFK saying their website has been hacked, losing names, addresses, email addies, and possible telephone numbers.

Worrying


----------



## AdAndrews (4 Dec 2009)

why would anyone want to hack a fishkeeping magazine website :?


----------



## 2pods (4 Dec 2009)

AdAndrews said:
			
		

> why would anyone want to hack a fishkeeping magazine website :?



smells a bit fishy to me

IGMC  

Seriously, he was worried about attempted identity theft and cc fraud.

It's happened to me before.


----------



## aaronnorth (4 Dec 2009)

AdAndrews said:
			
		

> why would anyone want to hack a fishkeeping magazine website :?



well most people will use the same password for numerous things, so if their email p/word is the same as PFK, they can try it on numerous fish related websites which store people's credit cards :?


----------



## ScottYalloP (4 Dec 2009)

well im screwd


----------



## plantbrain (4 Dec 2009)

It's those damn climate change email hackers!
Trying to blame aquarist for climate change!

Regards, 
Tom Barr


----------



## itstricky11 (4 Dec 2009)

I wish the email they sent out had contained a little more technical information as to exactly what had been (possibly) compromised. Depending on how their site is designed, "Joe Public" could either be at great risk, some risk, or little risk. 

Let me explain.

When you register an account on somewhere such as a forum, the username and password you pick have to be stored somewhere so that they can be checked against at a later point (when you come to log in!). Usually the details are stored in a database as these are fast and easy to use, however they way they are stored can vary:

1. Plain text. The worst possible scenario (from a security point-of-view) - anyone who can access the database literally can read the information straight out of the users table.

2. Hashed. The username is "hashed" before being stored in the database, usually with an algorith such as MD5. This means that all there is in the database for password is an alphanumeric string. MD5 is not feasibly reversible, however with determination, hashes can be reasonably easily returned to plain text with the use of a "rainbow table" of known or computed hashes.

3. Salted hash. Same as above, but with the inclusion of a secret "key" which the hash is cyphered against. Provided the salt is large enough, a rainbow-tables attack is not feasible.

I am hoping Bauer's web designers are security-concious enough to go for salted hashes (or better!), but some reassurance of this from them would not go amiss. Just in case anyone is wondering, secure website hosting is part of my job description.

IT11


----------



## RoughIt (5 Dec 2009)

The initial stolen details appear to be : email address, password & username.
With these three things it would have been easy to access our other saved details.
I found a link from another fish forum to a pastebin page from California which appears
to be an authentic list totalling 2047 stolen details.
I could only find a cached version dated Wed. Oct. 28th which is even more worrying.
How long our details may have been in the wild, who knows?
I was going to post a link but I'm not sure that would be ethical, unless the mods/admins think
it would be in all our interests to highlight the potential severity of the hack.


----------



## John Starkey (5 Dec 2009)

christ,i use the same e-mail and password on everything,would it be a good idea to change my passwords ?
regards john


----------



## RoughIt (5 Dec 2009)

A quick question for itstricky11.

I've found a second list ,uploaded Friday, which appears to have MD5 hashes in place of the passwords.
Does this mean anything to you ?
I've also found a third list (a rewrite of the first) which the author begins by writing 'IN ALPHABETICAL ORDER FOR EASY FINDING OF YOUR OWN INFO'.....How considerate !!!
I spent all night following a possible lead and all info has been forwarded to Matt and I'll let you know if I get a reply.

For John Starkey.
I'd advise changing your passwords ,then move house.......maybe the second ones a bit extreme.


----------



## 2pods (5 Dec 2009)

PFK's site is still down, but all I think I can do is change what passwords I can remember elsewhere


----------



## naija (5 Dec 2009)

Fortunately I haven't used the same password as I usually do (I know, I should be more careful anyway). I've found the link to the cached list on other forums but it seems to be broken.  I don't know whether to be relieved or increasingly worried (don't know if my stuff is still out there)


----------



## RoughIt (5 Dec 2009)

The link is broken because the paste has been updated. (just alphabetised)
Found a paste for SPAM with this list attached uploaded today.
If you get SPAM about Lloyds Bank then you're probably on the list.
Will keep checking and let you all know if things change.
Can I post a link to the paste ?(As posted by REEFSCAPE on other forums)


----------



## naija (5 Dec 2009)

I've got spam from Lloyds, but then again I regularly get spam from just about every 'bank' in existence (which I never respond to, and up to now have had no problems). Can you pm me the updated list? I'd rather know than be left ignorant.


----------



## RoughIt (5 Dec 2009)

naija said:
			
		

> I've got spam from Lloyds, but then again I regularly get spam from just about every 'bank' in existence (which I never respond to, and up to now have had no problems). Can you pm me the updated list? I'd rather know than be left ignorant.



I'll give everybody instructions to find the info.
Find the link in REEFSCAPES post on another forum.(which will bring up a Google page).
Copy and paste the p******n.ca/(some numbers) into your browser bar.
Add 'tree' before the numbers.(no spaces)
Pressing enter takes you to the paste site.
Find the 'View Differences' button and click on it.
SPAM entry and list will now appear.
Keep an eye on the 'Recent posts' on the left.
All entries so far have been titled 'Stuff'.

PLEASE REMOVE POST IF CONTRAVENING ANY RULES.


----------



## naija (5 Dec 2009)

Thanks so much for that   . I'm not on the list, but I've learned my lesson. Pity the fool who tries to work out my passwords from now on.


----------



## RoughIt (5 Dec 2009)

What worries me the most is that this list was compiled in October.
PFK shut their site down on Friday. 4th Dec.
How many other lists may be in the wild like this ?
Are our addresses and other info trading hands behind the scenes?
Will PFK be informing each subscriber if their info has definitely been stolen?
How will PFK ressurect the subscriptions if no details can be trusted anymore? (may have been edited)

Glad to hear that your info is not on THIS list naija.
By the way great looking tank (could the heater be hidden a bit ,or are the plants starting to mask it)


----------



## itstricky11 (5 Dec 2009)

If the passwords have been hashed, there is less of an issue with the passwords being reversed and used elsewhere - the computational time required to do so would be vast (assuming they are salted as I mentioned before).

However! It is always best-practise to use different usernames and passwords for anything you sign up to. I know that makes things hard to remember, so consider using an application such as the open-source KeyPass (keypass.info), which allows you to store your logins in a single, heavily-encrypted database. Then all you need to do is remember one extra-secure password to look up the other ones you have!

As the tables were hashed I wont be considering cancelling my PFK subscription....yet.

IT11


----------



## RoughIt (5 Dec 2009)

itstricky11 said:
			
		

> If the passwords have been hashed, there is less of an issue with the passwords being reversed and used elsewhere - the computational time required to do so would be vast (assuming they are salted as I mentioned before).
> 
> However! It is always best-practise to use different usernames and passwords for anything you sign up to. I know that makes things hard to remember, so consider using an application such as the open-source KeyPass (keypass.info), which allows you to store your logins in a single, heavily-encrypted database. Then all you need to do is remember one extra-secure password to look up the other ones you have!
> 
> ...



Only one list contains hashed passwords. The other updated list contains the actual passwords not the hashes.
Could the passwords have been hacked from the listed hashes, or could this only have been achieved by accessing the site directly.


----------



## 2pods (5 Dec 2009)

I'm not on it AFAICS, but it's a scary thing.


----------



## itstricky11 (5 Dec 2009)

As mentioned earlier, if the hashes were not salted then they could have been reversed using rainbow tables. Also, the stolen passwords could have been hashed by the individual who lifted the list for placing onto pastebin to advertise the list for "sale" with the unhashed passwords provided to purchasers.

All pure , unsubstantiated speculation however. If the lists are freely available online with unhashed passwords, anyone with their details on this list needs to make sure they have re-secured any other services using the same credentials.


----------



## Lisa_Perry75 (7 Dec 2009)

I really wish I knew my password, so I could change it!!!


----------



## 2pods (7 Dec 2009)

Log on with the wrong password, click forgot password, get new link sent to you, create new password   

Assuming the PFK website is back up of course


----------



## itstricky11 (7 Dec 2009)

Not last time I checked!


----------



## Brenmuk (8 Dec 2009)

I wonder why it is taking them so long to get back up? Was it just their membership database that was compromised or were the main PFK content pages also hacked/vandalised?

What about their backups and disaster recovery provision?


----------



## itstricky11 (8 Dec 2009)

With websites which are often updated, the content is almost always stored in a database. The only thing which remains static is the framework to render the site.

When a hack occurs, one of two things will have to happen. Either the database will have to be rolled-back to a point in time before the hack occurred, or each and every line will need to be inspected for malicious content. The problem with rolling back is content loss, and obviously this grows depending on how far back the database has to be taken. Consider the fact that users here have found reference to leaked user accounts reaching as far back as October, and then consider the kind of content that PFK will have stored in the database - each news article they publish, reviews, editorial, not to mention forum posts. The work involved in "putting things right" is colossal.

On the flip side of that, there is no point doing a mountain of work to clean the database if you don't fix the site code which was vulnerable in the first place, and finding the vulnerabilities can take ages, especially if you have a large site framework.

I wouldn't be surprised if the hack was executed via a technique called SQL-injection. SQL-injection utilizes the normal behavior of a piece of code, and tries to manipulate it into doing things it shouldn't. It is up to server protection technologies and input validation to protect against these. Take the following as an illustration:

The user is browsing a website, and clicks on an article about planted aquaria. The article has an article ID in the database where the article is stored, so the link the browser requests is something like:

http://www.plantedaquariumsarefab.tld/a ... p?id=12345

where "12345" is the ID of the article the browser wants. Now take that same page (articles.php), and get it to spit out things it shouldn't:

http://www.plantedaquariumsarefab.tld/articles.php?id=("SELECT+*+FROM+'tbl_users')

where "tbl_users" is the table containing all the user accounts.

SQL injection is a right royal pain-in-the-ass, but with suitable server technologies (such as mod_security for Apache server and URLScan and similar for Microsoft IIS), it can be mostly mitigated against. The remainder of the protection comes from the site code, ensuring that it will not execute queries it is not supposed to, and a database architecture which prevents unauthorized access to, and modification of data.

Thus endeth the lesson on website security   

IT11

(Edit: fixed typo)


----------



## aquaticmaniac (8 Dec 2009)

I got about a paragraph into that and started looking for a compass...

But I'll reread to educate myself


----------



## Brenmuk (8 Dec 2009)

aquaticmaniac said:
			
		

> I got about a paragraph into that and started looking for a compass...
> 
> But I'll reread to educate myself



That's the thing about web security anyone with a bit of technical know how can knock up a quick web site but making it secure is hard. I've just been trying to get my head around sql-injection as well see:
http://en.wikipedia.org/wiki/SQL_injection.

I also followed the link to the posted PFK user accounts and didn't find my username or pwd on the list but I don't know if that means they don't have my details or if that was just one of several user account lists that have been posted!


----------



## aquaticmaniac (8 Dec 2009)

Hmm, I know everyone is paranoid about this. But I just remembered that a couple of months ago I started getting spam everyday on my email associated with PFK. I don't know if my info is on that list (can't get link to work).
Luckily I don't have any important information associated with that...


----------



## John Starkey (8 Dec 2009)

itstricky11 said:
			
		

> With websites which are often updated, the content is almost always stored in a database. The only thing which remains static is the framework to render the site.
> 
> When a hack occurs, one of two things will have to happen. Either the database will have to be rolled-back to a point in time before the hack occurred, or each and every line will need to be inspected for malicious content. The problem with rolling back is content loss, and obviously this grows depending on how far back the database has to be taken. Consider the fact that users here have found reference to leaked user accounts reaching as far back as October, and then consider the kind of content that PFK will have stored in the database - each news article they publish, reviews, editorial, not to mention forum posts. The work involved in "putting things right" is colossal.
> 
> ...



Wow now i am totally bamboosoodled        

regards john.


----------



## itstricky11 (8 Dec 2009)

Sorry folks, I do appreciate that my last post was very "techy", but I tried to keep it as simple as possible while providing as much information as I could. Planted aquaria and database technologies are about as far apart as I could pick two subjects, so it is hardly surprising that subscribers here would find the above a bit baffling!

I would tend not to associate spam with the leaking of a list like this as in my experience this is not how spammers work, but it is not outside the realms of possibility that a list such as this could be sold to a spammer.

Bearing in mind my deep understanding of the issues at hand here, my advice would be to accept that it has happened, reset your passwords for other services and move on. It isn't the first time that a company has leaked the personal details of its customers, and the sad fact is that it will not be the last. In fact, Bauer publishing are to be applauded that they actually notified their subscribers that this had occurred - there are many companies out there which would do all in their power to hush an incident such as this to prevent the ensuing detrimental publicity .

IT11.


----------



## Superman (10 Dec 2009)

This is disappointing, as I'm very careful with exposing my email address online. 
Over the last few weeks, I've started to receive spam mail through my email address that was used on the PFK website. I've never received them before and doubt it's a coincidence. 

Whilst I'm not on the list discussed above, I guess there's nothing to stop them holding details in the background.  

Fortunately, I have different passwords for secured/personal websites.

I'm reconsidering my subscription to PFK.


----------



## Hokum (13 Dec 2009)

Is there any idea when PFK will be back up? I had hoped for a temp web page with some information but its still the same maintenance page.


----------



## itstricky11 (13 Dec 2009)

If you e-mail Matt Clarke, I guess he might provide you with an ETA.

IT11


----------



## steveninaster (16 Dec 2009)

My password is different for the PFK website and trhe PFK forum, does anyone know if username and password details were taken from one or both.  

Sadly I cant follow reefscapes link as I use a work laptop that refuses access to the page.


----------



## Lisa_Perry75 (10 Jan 2010)

PFK is still not back. Anyone know what is happening?


----------



## Hokum (26 Jan 2010)

Wow i can't believe the site is still down, they must be either doing a complete site relaunch or going through the database with a fine tooth comb!


----------



## Paulus (26 Jan 2010)

also wondering when the site will be back online. and ofcourse curious about the december 2009 magazine. i should receive this version. but i can understand they first need to fix the large problems.


----------



## Mawgan (27 Jan 2010)

I emailed Matt Clarke a couple of days ago and he gave me to understand that they should be up and running by mid-February.  He made it clear that this is being taken very seriously and they are doing their utmost to avoid a repetition.

Hope this helps...


----------



## itstricky11 (28 Jan 2010)

Having a website offline for this long is unprecedented in my experience. Bauer must really be hurting over this, and I can see why they would want to protect their subscriber-base at any cost.

I can only assume that they are rebuilding the site from the ground-up.


----------



## George Farmer (28 Jan 2010)

Monday 1st Feb...


----------



## LondonDragon (2 Feb 2010)

George Farmer said:
			
		

> Monday 1st Feb...


One day late but they are up!! Had to renew my password though as the current did no longer work.


----------



## aaronnorth (2 Feb 2010)

LondonDragon said:
			
		

> George Farmer said:
> 
> 
> 
> ...



same, glad its back though, i also prefer the new layout.


----------



## Steve Smith (2 Feb 2010)

Are there more adverts than before, or is it just my imagination?


----------



## LondonDragon (2 Feb 2010)

SteveUK said:
			
		

> Are there more adverts than before, or is it just my imagination?


I never used it much anyway but I did notice that too, maybe its me also! LOL
The forum login no longer works on the main page, looks like people need to register again to the main site, to comment on blogs etc... did not see My Tanks section any more.


----------



## Paulus (2 Feb 2010)

w00t the site is back  will they also send the december magazine now?


----------



## LondonDragon (2 Feb 2010)

Paulus said:
			
		

> w00t the site is back  will they also send the december magazine now?


Haha you and your December magazine


----------



## Paulus (2 Feb 2010)

LondonDragon said:
			
		

> Paulus said:
> 
> 
> 
> ...



just wondering how my tank is looking inside the magazine


----------

