Re-creating Evark's thread. As an additional warning, I would like all of the users to read up on Cross-site scripting.
Here is the thread in its entirety, plus rules for posting here.
Since Wade's threads are now missing and I doubt he's the time to make a new one, I've decided to put up a new thread to ease General's baseless fears and explain what's happened.
This past week, a concerted effort has been made by some random nobodies to cause problems for NG. Thus far they've:
%u2028- Accessed 4 moderator accounts (including some BBS moderators, hence the deletion of a number of recent threads and thusly users' recent posts)%u2028- Accessed a number of user's accounts%u2028- Caused an unnecessary panic amongst the active members of the community.
How did they do this? Simply. VERY SIMPLY.
Phishing. For those uninterested in the wiki article, phishing is most commonly used to gain sensitive information for the purpose of stealing identify information or bank account access information.
- HOW DOES PHISHING WORK?%u2028Phishing is typically conducted by posting an identical copy of NG's layout on a non-NG domain name. A page may appear entirely as Newgrounds.com does, every link will link to normal NG.com URLs, everything appears ordinary EXCEPT the URL at the top of your page. The page will request your username and password, most notably in cases where you were already logged in to NG when you were directed to the phishing page.
- HOW CAN I PROTECT MYSELF?%u2028Be observant. If the URL at the top of your page does not say "newgrounds.com" for the domain, or is unrecognizable to normal NG URLs, DO NO ENTER YOUR INFORMATION.
That explains day 1's attack. You guys see accounts compromised, mods are alerted to the scheme, phishing is no longer a viable method of compromising accounts for these random nobodies. Panic abounds.
Day 2 is a different method. Also simple.
Brute force attack. A brute force attack is a method by which an account (usually email which doesn't restrict password attempts as NG does) is systematically cross-referenced with a database of common words, phrases, and variations therein.
- HOW DOES BRUTE FORCE WORK?%u2028A brute force attack works by running a program that tries password after password until it is successful. Kinda like asking "are we there yet?" on a long car ride nonstop for several hours.
- HOW CAN I PROTECT MYSELF?%u2028You can protect yourself by ensuring that your email account password is anything but common. Use a strongly secure password. A strongly secure password follows these rules:%u2028+++Contains alphabetical, numerical, and non-alphanumeric characters%u2028+++Contains a mixture of upper case and lowercase letters%u2028+++Is completely indecipherable and meaningless%u2028+++Does not follow an easily recognizable pattern of any sort
- UH, I HAVE NO IDEA WHAT YOU'RE SAYING, GIVE AN EXAMPLE%u2028Ok, well... if your password is, for instance: penis, you'll be compromised. If it's, for instance: p3n15, you'll be compromised. But, if you've got your password set as p3N0rD1i(l(z, (see penordicks and an additional number in there?) you're probably reasonably safe.
There are a number of sites online that you may find using a simple google search that can generate a decent password for you, or explain how to come up with your own (so you can remember it).
-------------------
Now then, that's all I've got to offer. I hope you all take heed of the warnings that have been heaped on you in the past few days, but go ahead and drop the useless panic. When YOUR account is compromised, you may Private Message an administrator with an alt and provide detailed information about the account's personal details (name, school, email addy signed up with, email addy before being compromised, old password, etc.) and they can get it back for you. If a moderator's account is compromised, you may message a moderator, preferably one that you know is online and active, and preferably using AIM or something similar so that they notice faster. PMs are great, but they tend to pile up quickly and if the mod isn't navigating to new pages on NG, they won't notice they've been contacted.
Thanks. Please try to keep conversation as non-sensational as possible. This is not the downfall of NG or anything like that. It's just a couple of lucky breaks for some annoying e-miscreants.
-------------------
THINGS I WILL NOT TOLERATE IN THIS THREAD:
- Posting of private mod-lounge information
- Rumors and misinformation
- Sensational mention of as-yet-unrealized threats
- Comments suggesting that we remain apprehensive about our accounts' security
Also: I'm deleting references to those responsible. It isn't important who is responsible, and I will not allow them to have their recognition.
