147 replies to this topic

[netsmithUK]

Hello all.

I'll try and keep this brief and to the point.

Over the days of 11th-15th of February Tamiyaclub.com came under attack from hackers. This was not a casual 'experiment' but a sustained sequence of penetration attempts. On the plus side those doing it do not seem to have caused any physical damage to the site or the data but they did manage to harvest the nicknames, email addresses and those passwords that user used on this site. The club does not and never has stored any financial data locally so they have not got any of those sort of details from us. All transactions are processed through and by Paypal and they look after all of your data.

That said if you have used your TC password anywhere else on the web you should go and change your passwords there as soon as possible.

The attack only came to light on Monday when someone came across a file of 400 of our user emails and club passwords posted to the web. As soon as I saw it I took the site down and set about investigating what had happened. As a first step I obviously have reset all club passwords (so you will need to do a password reminder on the main site to get your details again)

The hackers did not gain access to any control panels, ftp settings or any other server settings. There is nothing to say they gained access to the forums either. That said as many users shared passwords between the forum and the main site I have also reset all forum passwords.

I feel embarassed and terrible that has happened and have spent the last two days incorporating every type of security check I could find. For security reasons, I don't want to go into exactly what they are in detail but I've added new checks to every page and completely changed the way passwords and cookies are stored and handled. (The new reminder service is an example of this) Most of the pages already ran checks for this sort of attack but they managed to find one that was sadly lacking. I don't want this to become a 'game' between me and the hackers either - they potentially have much more resource than me and could makes things terrible for us all.
My hope is that it was just a passing attack and that I've made it awkward enough for them just to move on and let us be.

Because of the amount of code I've changed over the past 2 days, despite running through it with a few beta testers there is a chance that some things might not work. If you find anything please let me know

I'll post more later.

Regards and apologies again

[mr nice]

Mate i wouldnt feel embarassed about it, its not your fault those loosers aint got nothing better to too...glad your back online!

[atf300]

was it because of the hack that i found my self logged out a couple of times in the last days ?

[Kevin_Mc]

as said, you've no reason to feel bad or be embarassed about hackers getting into the site. I think it's happened to just about every site/forum i've used over the past seven years. Just one of these things and the people behind it have more time and resources on their computer than they do in they're day to day lives.

The password issue might explain how my e-mail address was hacked on Friday and scam e-mails sent to all my contacts. That seemed to be an easy enough fix though.

well done for getting the site back online so quickly and hopefully that's the end of it.

[casethejoint]

No need to feel embarrassed at all Chris - especially considering you don't get paid to keep TamiyaClub online.

Stuff happens. I think you did us all proud in the way that you handled it.

[bromvw]

Well handled Chris . Absolutely no need to say sorry . Well done on having the site back up and running .

[Percymon]

Many thanks for reacting so quickly and the many hours of work that haven doubt gone in in the last 36 hours.

Welcome back everyone !

[bunny555]

Hi Chris, I agree with everyone else. Nothing to feel embarrassed about and no need to say sorry. You should be proud of the professional way you handled it and especially how quickly you got the code changed and got the site back up and running.

thanks again for keeping the site going it really is very good, and a credit to you

thanks

Paul

[lee1980]

yea cant be helped one of those things now, I guess they want the info to try and use it to log in other sites and buy stuff?
I use same passwords for forums but not for buyin stuff. So be ok hopefully and I use different user names on forums as well.

[Singleseven]

Thank you and well done for getting the site back up and running so quickly!

[Wez-li]

Don't feel embarrased, these hackers are a lot more experienced in all this than you or anyone else...

Just ask Sony.

Glad TC is back online

[Chain Driven]

Well done Chris.

A quick question, seems that I have to re-log every time I go back on TC, is there a way to stay logged in ? Like a "remember me" box?

Thanks

Jerome

[netsmithUK]

Well done Chris.

A quick question, seems that I have to re-log every time I go back on TC, is there a way to stay logged in ? Like a "remember me" box?

Thanks

Jerome

I've changed the way the site handles cookies and thats stopped this feature from working - it'll be back shortly.

[Shanks]

Thank you for all your hard work & dedication in getting the site back up & running.

[Magnox]

Chris,

I found the file you mentioned this evening and, just to clarify to everyone, it contains *every* email address and password of 38000+ registered members, not just the 400 you reference in the original post.

A bit of good news I hope - it's clear from the file how the attack was done and it was not particularly sophisticated. SQL injection is script-kiddie stuff and if you've got a site that's been around as long as this one has, with a large number of SQL databases, PHP etc., there is always going to be a weakness. Although the note at the bottom claims it was 'Anonymous', I highly doubt this. I run my own sites as well and I know how difficult it is to make everything 100% secure, although password encryption might have been a good idea! Still, it looks like many members kept the site-generated password and probably stored it in in their browser, rather than using their own, so hopefully a lot of the data is useless.

I have, though, got 12 emails today from someone called 'Fun Girl' who would like me to download an attachment because she's desperate to meet me. Decisions, decisions....

[atf300]

Chris,

I found the file you mentioned this evening and, just to clarify to everyone, it contains *every* email address and password of 38000+ registered members, not just the 400 you reference in the original post.

A bit of good news I hope - it's clear from the file how the attack was done and it was not particularly sophisticated. SQL injection is script-kiddie stuff and if you've got a site that's been around as long as this one has, with a large number of SQL databases, PHP etc., there is always going to be a weakness. Although the note at the bottom claims it was 'Anonymous', I highly doubt this. I run my own sites as well and I know how difficult it is to make everything 100% secure, although password encryption might have been a good idea! Still, it looks like many members kept the site-generated password and probably stored it in in their browser, rather than using their own, so hopefully a lot of the data is useless.

I have, though, got 12 emails today from someone called 'Fun Girl' who would like me to download an attachment because she's desperate to meet me. Decisions, decisions....

go for it , seems totally legit and she seems fun .

seriously , total security take a lot of work and usually is very user un friendly .

[backtomyroots]

The homepage for TC will not come up for me ? Looking forward to changing that password ASAP !

[netsmithUK]

Chris,
... it contained all 38000+ registered members, not just the 400...

If it does I'm mistaken. I hit the download link and the file I got just had the 400 as far as I could see. I assumed all 38000 we available somewhere, I just couldn't see them or how to get them on that particular site (You don't have to post a link here to prove me wrong or explain how to get the whole file - I'm happy to take your word for it) Either way I've warned everyone to take appropriate measures.

Cheers
Chris

[netsmithUK]

The homepage for TC will not come up for me ? Looking forward to changing that password ASAP !

I think I may have broken it while trying to fix the cookie issue. Its still working for me logged in or not, is anyone else still having issues?

[backtomyroots]

I think I may have broken it while trying to fix the cookie issue. Its still working for me logged in or not, is anyone else still having issues?

No TC homepage and also no TC Photos page

[*Topcat*]

No homepage for me either :-(

[netsmithUK]

No TC homepage and also no TC Photos page

How about now? (TCPhotos is a seperate issue)

[Wandy]

So was this the first of the big things you had planned for TC in 2012? ....about as popular as that Scorcher wind up in 2005 I'd say.

Seriously though, well done for reacting quickly & decisively. If anything it made me realise just how lazy I was getting, using the same password too frequently.

[tonysmini]

My password reset for the homepage doesn't work, I'll give everything a few days to settle down before I try again.

[netsmithUK]

My password reset for the homepage doesn't work, I'll give everything a few days to settle down before I try again.

Should be working - email me the details of what email address you are using. Are you getting the email through? What message do you get on screen?

Chris