Those of you running Firefox(why aren't all of you?!) should consider installing NoScript. It adds work to the browsing experience, but it can also speed up page loads, and protect you from tracking and viruses. I got this message from another forum I frequent...
Moderators on that site are allowed to use html in global announcement titles, so js was embedded in the title to launch the attack. Anyone opening a page with the post on it was exposed due to the scripting which was hosted offsite. I use NoScript, with very few sites whitelisted, I only allow the bare minimum to make sites work, and only grant temporary exceptions when I want to see something. IOW, I wasn't subject to the attack.
Browsing "safe" sites isn't protection against malware. The above site is about as safe as they come, and this isn't the first issue. There's been malware spread by adservers in the past also, and any site can be breached by a well executed hack on the target site, or by gaining enough data from someone with power to take control.
These are the security adddons I use...
AdBlock+ with Fanboy's ultimate list. Blocks ads, trackers, and other annoyances.
NoScript Blocks javascript, and gives clearclick protection which notifies you of an overlay on the site you can't see, where clicking won't do what you think it will.
RequestPolicy Blocks a bit more than NoScript. The 1.x beta the one to use in blacklist mode. Earlier versions block everything by default, and combined with NoScript, it made things very difficult. Probably not essential if you have NoScript.
CertificatePatrol shows site certificates, and lets you know when they change. Not a big deal for most sites, but it doesn't hurt to notice, but I'd pay particular attention to sensitive sites like banking where it really matters.
BetterPrivacy clears Flash cookies which tend to stick around, and are hard to deal with using built in tools. Prevents tracking.
Earlier today a moderator account was compromised, allowing a malicious third party to create a global announcement with an embedded script designed to harvest user names, passwords and PMs. The post was live from 8:35AM ET through 10:41AM ET (all on July 14th). The attack originated from an IP in Sweden (91.236.116.104) with all data being logged to a server from a shared virtual hosting provider. The aim of the attack seems to be to gain access to an Admin account, which wasn't successful.
In the process, anyone who was logged in and accessed the forums during this period had their stored PMs accessed by this script. In addition, any user who manually logged in had their user name and password accessed (141 total users). Upon discovering the breach we immediately contacted the host of the script and got them to remove all of the data gathered by the script. We also reset all passwords associated with accounts that were known to be compromised. If you try to login to your account and find that your password doesn't work, it was among those reset. Similarly, treat any sensitive information contained within your PMs as potentially compromised.
We strongly recommend changing passwords frequently and not using the same password for multiple accounts.
We are actively working with the hosting provider where the script was living to see if we can gather any more information about the parties who launched the attack.
In the process, anyone who was logged in and accessed the forums during this period had their stored PMs accessed by this script. In addition, any user who manually logged in had their user name and password accessed (141 total users). Upon discovering the breach we immediately contacted the host of the script and got them to remove all of the data gathered by the script. We also reset all passwords associated with accounts that were known to be compromised. If you try to login to your account and find that your password doesn't work, it was among those reset. Similarly, treat any sensitive information contained within your PMs as potentially compromised.
We strongly recommend changing passwords frequently and not using the same password for multiple accounts.
We are actively working with the hosting provider where the script was living to see if we can gather any more information about the parties who launched the attack.
Browsing "safe" sites isn't protection against malware. The above site is about as safe as they come, and this isn't the first issue. There's been malware spread by adservers in the past also, and any site can be breached by a well executed hack on the target site, or by gaining enough data from someone with power to take control.
These are the security adddons I use...
AdBlock+ with Fanboy's ultimate list. Blocks ads, trackers, and other annoyances.
NoScript Blocks javascript, and gives clearclick protection which notifies you of an overlay on the site you can't see, where clicking won't do what you think it will.
RequestPolicy Blocks a bit more than NoScript. The 1.x beta the one to use in blacklist mode. Earlier versions block everything by default, and combined with NoScript, it made things very difficult. Probably not essential if you have NoScript.
CertificatePatrol shows site certificates, and lets you know when they change. Not a big deal for most sites, but it doesn't hurt to notice, but I'd pay particular attention to sensitive sites like banking where it really matters.
BetterPrivacy clears Flash cookies which tend to stick around, and are hard to deal with using built in tools. Prevents tracking.
Comment