A colleague of mine told me there is an ongoing thread in their airline forum re. a successful hack on Pprune and the UBB software in general.

Apparently, some little git has managed to obtain all details of every registered user including email addresses, passwords etc. Whilst not a big deal for a lot of people, if you registered as [email protected] you are possibly linked to your username.

I assure you this is not a wind-up on my part - I just want to know if it is true or not.

Yes it's true. Every private forum password has been made available to those in the clique (I'm not but I've seen the list) and all username/password combinations can be easily accessed. ID's can only be linked to usernames if you registered with an identifiable e-mail address ie your-real [email protected], apparently.

------------------

Rumour has it that PPRuNe user had his wiz-kid son hacked the UBB. His father has been giving out details to close friends. Also hear that son has hacked his school computer system twice, once after he told them it was not secure and the school paid to have the security improved. Also told that this is person is a BALPA rep for his company. If true then he should be banned from PPRUnE and exposed!

If anyone has any details on this, please send me email [email protected]

---PPRuNe Dispatcher

[This message has been edited by PPRuNe Dispatcher (edited 04 July 2001).]

If this is true then those involved should be aware that the UK Computer Misuse Act 1990 prescribes a penalty of up to six months in jail for illegal hacking.

Just a thought, I understand that the PPRuNe server is in the USA and the hack may well have been caried out in the UK. So is the hacker liable to have broken USA or UK law?

Common knowledge then... I think Danny and co. should post an announcement, however embarassing, about what has happened.

Skycop - I'm sure you're right about possible penalties but as an ex-IT professional, I can assure you the authorities won't give a damn about a non-intrusive crack that hasn't cost anyone a penny in lost revenue.

If it is a hack/crack on a US server, a crime has not been committed unless there has been a financial loss to the victim of more than $5000. Source - http://www.grc.com (see the fascinating article on Denial of Service attacks and the American authorities' response !)

If the hacker is under-age, then all they could possibly get is a sound ticking off - the potential damage to people's careers is mind-boggling if the details get out to the wrong people. Or the details are paid for...

So now anyone with 'the list' can post anything they like under anyone's username. Great. At least when the lawsuit arrives I can happily say it wasn't me who did the posting !

This needs to be sorted out gents.

P.S.

Just to let you know how easy this is, I followed a couple of links from the grc.com site, downloaded a few tools and hey presto, with only power-user knowledge of windows (no programming) I sit here armed with the same software used by these people.

And boy does it work. I loaded a trojan onto one of my home network PCs by binding it (terms I didn't even know until a few hours ago) to a picture attached to an email. Yep, you open a picture, you now have a trojan that barely anything can detect.

If I sent it to you, I could enlist your PC in a denial of service attack, browse through your files or just use you as a stepping stone to hack somewhere else with your pc as the culprit.

Pointless, but enlightening, I can now see the entire desktop of this 'sacrificed' PC, every mouse click, every file, every password stored in windows... I can even stream the webcam attached to it to this PC. And worst of all, the Norton Anti-Virus software installed on it hasn't got a clue what is going on.

I have a port scanner, IP scanner... took me about ten minutes to download and about an hour to figure out how to use it.

I had no idea what could be done until I started looking into it and although I have some (now out of date) IT experience, I reckon anyone with intent could be up and running within a couple of days.

It would take me an afternoon to take most web sites down or insidiously insert my software into them. This took me all of today to learn.

Flabbergasted.

Port scanners aren't necessarily a bad thing - it's well worth getting one and pointing it at your own computers, especially if you're on an always-on connection.

I installed one (nmap: http://www.insecure.org/) and it taught me a hell of a lot about what my system was offering the outside world. Once the shock subsided, I started learning how to turn everything off. Only thing open now is an ssh daemon. Hack that :)

Yeah, I know it can be done. But Joe Script-Kiddie can't do it.

The problem, I think, is that while these things are relatively easy to fix, few people take the time to learn to do it. I was as guily as any in that until I got spooked six months ago by discovering that someone was using a copy of sendmail running on my Linux box to forward spam. I didn't even know I was running it - RedHat had helpfully set that and a bunch of other stuff up by default. Did a bit of reading, got freaked out and started running a tighter setup.

I'm really stretching my understanding of computers/internet here, but having looked at the grc link, is it not really a problem with the IRC function? Before we start a mass panic, I cannot see that most users are vulnerable, unless they are on IRC and are not running Zone Alarm. Please correct me if I am wrong.

BOAC - Sub7 (the trojan described by Gibson) uses IRC protocol to let the hacker know what machines are online and available for use. It does not use IRC per se for any attack or hacking attempt. Zone Alarm will catch a lot of malicious traffic, but not all of it.

Most people feel comfortable with their anti-virus software, more informed people use a personal firewall but it's merely an annoyance that takes a few seconds to overcome.

On the positive side though, unless you sit permanently connected to the internet by cable modem or a T-line, you are unlikely to be affected.

In the meantime, have a look at http://www.tlsecurity.net
http://www.megasecurity.org
and in particular
http://www.megasecurity.org/Trojanlist.html

Whilst purporting to be 'security' sites, offering software for network pros to use to test their own system, they are quite obviously repositories for hacking software.

Download some of it... the capabilites are almost unbelievable.

"On the positive side though, unless you sit permanently connected to the internet by cable modem or a T-line, you are unlikely to be affected."

At $25.00/mo, cable is pretty hard to pass up. Tline is really annoying to me anymore. I can pprune about 5 times faster than most. :)
the grc site was very good reading. I think I closed the door a bit.

We still have no evidence that we have in fact been hacked.

We have very very few ports open. We log all accesses. We have security systems set up to alert us if something unusual happens.

If someone has details of what was done then let me know. I will of course keep any details sent to me completely confidential.

---PPRuNe Dispatcher

I have discovered that somebody has hacked into my computer, and downloaded my MS Combat Flt Sim scores. If anyone dares to reveal the fact that my sons all get higher scores than me (not to mention Mrs Airclues), then I shall be consulting my solicitor.

Airclues

Ahhhh Cap'n, that was common knowledge. Your scores have been on 10 dubya's site for months ;)

------------------
reddo...feral animal!

Backing up what PPRune Dispatcher has written above..... show us some proof and maybe then we'll believe it, i.e. PPRuNe Dispatcher has got our server(s) sewn-up tighter than a ducks a_rse in water - jeez, even I have trouble getting in sometimes !

That said, in this day and age running a PC or any network connection without some form of firewall (hardware / software) in the link between it and the web is just asking for it, imho !

I never understand why people are so coy on forums,in all the years i've posted on all the different forums I post on i've always used my real name and as far as I know my email is in my profile.
I can understand why some of the loons use nicknames,but that is more about the rubbish they post than other users.
I've never had any problem, ooeeerr, shouldn't have said that Draper.
What exactly is the problem if this info is puplic domain, my telephone number is in the book, my address is in the street directory?.

[This message has been edited by tony draper (edited 05 July 2001).]

Airclues.
I know a way you can beat your sons at CFS without cheating. My highest score is 243 kills in BoB at "Ace" enemy level and without aircraft tags! Let me know if you want the info.
Flt Lt Slash. VD & Scar

El Desperado

if you're worried about The Dreadful Hacker logging on as you and posting in your name, why not change your password? I've just changed mine. Unless it's hacked again the old password will be useless. Won't it? Or is this too obvious?

Oscar,

Logically, changing your password would have no effect if the following premise is true..

'Pprune has been hacked and the owners of the board have no evidence of this and therefore cannot prevent a repeat effort.' !

The guys I've spoken to are convinced it has been done and say that they have seen this bit of paper, that bit of paper, etc etc, but I haven't seen any hard evidence myself. Only thing is, I can't see why they would make it up.

No system is hack-proof. No software is uncrackable - if... someone wants in badly enough.

If someone did it just for the hell of it, because it could be done, then we'll probably never hear about it again.

If you want to see what can be done with a trojan, (not software hacking!), click on the link below..(it's just a web page, won't do anything to your systems, honest !)

They could be doing this to you... right now.... (http://www.iwg.org/~raven/dork.shtml) :D

[ 08 July 2001: Message edited by: El Desperado ]

.........actually what somebody has probably gone and done is to get a copy of something like 'MemoWeb 3' (yours for £29.99 from PC World) and 'grab' the whole PPRuNe (well as much as they're allowed to see, that is - e.g. the browsable page contents ).

Indeed, for all those folks who've been in receipt of 'unsolicited emails', and in particular which have apparently emanated from your PPRuNe account email address, this is almost certainly how it's been done - the download 'bot just grabs the email addresses from the PPRuNe pages and saves them to the 'bot users PC; all rather too easy really - but a far cry from being hacked.

Now w.r.t. some specifics....:

The guys I've spoken to are convinced it has been done and say that they have seen this bit of paper...... A piece of paper containing the details of nearly 35000+ PPRuNers would be quite a weighty tome !

No system is hack-proof. No software is uncrackable - if... someone wants in badly enough...... True, but why on earth would somebody want access to the details we hold, i.e. most of the email addresses we hold are so indeterminable as to be almost useless, and a lot of the other stuff in folk's profiles is about as useful as a chocolate teapot !

If someone did it just for the hell of it, because it could be done, then we'll probably never hear about it again..... I agree once again - but perhaps the bottom line is that whilst any such hack would be annoying (from a technical stand-point) - they've done no harm; Sh!t even if they crashed the server we can always rebuild it and, as mentioned above, it's not as if we have rack loads of confidential information or some such.

So perhaps a case of habeas corpus (or in plain English...... thus far, an awful lot of "If's, but's, and maybe's") ?!

Ps. Folks, perhaps this just goes to prove that you should all avail yourself of:

A). Good anti-virus software (e.g, Sophos, Norton, MacAfee) and turn it on to monitor all programs & files (inc Emails), and to update it very regularly.

B). Make use of firewall hard/software, e.g. ZoneAlarm Pro.

C). Be careful about just what details you provide about yourself over / on the web !

[ 08 July 2001: Message edited by: CrashDive ]

"Why would anyone be interested in what is in my PC?"

Because software can shuffle through a whole mass of details from a huge mass of computers quite effortlessly, mining details such as credit card numbers for example. Do you use on-line banking? Perhaps not, but lots of other people do and software can crack the passwords easily. Professional Pilots are notoriously wealthy people so pilots computers might be very interesting places to visit. If you want to open up your PC like a whore's legs to all comers, just log on to an Internet Chat session. Hackers are very interested in IRC numbers so they can track log-ons and walk straight through the open door into your files, even if you have a firewall. Get real, there's lots of stuff in your PC to attract attention. You wouldn't leave your briefcase on the front seat of your car, now would you?

Or would you?

**********************************
Through difficulties to the cinema

What !!! Professional Pilots are notoriously wealthy people..... Really ?! (I'm now ROFLOL :D )

You're not actually in aviation as a professional pilot, are you Blacky ?!

Me a Professional Pilot? You're really new around here aren't you? Read my profile.

Unfortunately our knowledge of pilots' true wealth is not shared by the public. People outside aviation believe pilots are granite-jawed super-heroes who take home 250 grand every year. We aviation professionals, of course, recognise the pot-bellied grey-haired old geezers staggering to their 1990 Toyota Corollas in the car park.

Don't we? :D

**********************************
Through difficulties to the cinema

Tried to fire off one of those thru the net Nukes the other day, but my Virus checker wouldnt let me. The Trojans were found in the files and the checker denied access to the files as they were on a CD so couldnt be cleaned.

I also find that Zone Alarm coupled with a good anti virus Prog like VET ( www.vet.com.au (http://www.vet.com.au) ) goes a long way to stop nasties getting in.

My Kids have had their Friends try to send various bombs and trojans to my computer, (even sub7, I saw it die before it got in ) without success. :confused: