Cruisers Forum
 


Join CruisersForum Today

Reply
 
Thread Tools Rate Thread Display Modes
Old 28-08-2016, 05:51   #16
Registered User
 
boat_alexandra's Avatar

Join Date: Aug 2009
Location: BVI
Boat: bristol 27
Posts: 2,640
Re: OpenCPN Homepage hacked

Quote:
Originally Posted by cagney View Post
The activity of each user is documented. If they have contributed to a illegitimate post -> delete them. This would probably cover the wast majority, if not everyone.

/Thomas
I tried to do that but I don't know how maybe I don't have permission?
__________________

__________________
boat_alexandra is offline   Reply With Quote
Old 28-08-2016, 05:56   #17
Registered User

Join Date: Jul 2010
Location: Monastir, Tunisia
Boat: Westerly Pentland
Posts: 1,665
Re: OpenCPN Homepage hacked

Quote:
Originally Posted by nohal View Post
The site is not hacked. There is just someone posting automatic spam into the news section of it for the past few weeks, which is allowed by design and technically we were just lucky nobody did it before. The captcha the website uses should certainly be hardened to stop it. There is nothing to worry for the downloads, which are also hosted on a completely separate CDN.
An F rating in the scan posted seems quite common, and irrelevant to what's happening.

Yes, opencpn.org needs some more care, yes, it is generally nice to use encryption everywhere, no this is not the end of the world.

Pavel
You are a little bit too careless. If anybody is able to misuse a website this website is hacked. Have you checked meanwhile every page of opencpn.org for cross side scripting or other malware tools? I'm sure you will even not recognize it. Furthermore all data of users registered to opencpn.org can be stolen.
To teach you something about security: The first step to do in such a case is to switch off the website immediately.

Gerhard
__________________

__________________
CarCode is offline   Reply With Quote
Old 28-08-2016, 06:23   #18
Registered User

Join Date: Feb 2010
Location: On the go. Not in Prague.
Posts: 3,945
Re: OpenCPN Homepage hacked

Gerhard...
Could you please elaborate on how "Furthermore all data of users registered to opencpn.org can be stolen"? This is spam, nothing more, nothing less. Annoying it is, that's for sure.

Thank you

Pavel
__________________
nohal is offline   Reply With Quote
Old 28-08-2016, 07:17   #19
Registered User

Join Date: May 2011
Location: Toronto
Boat: Sandpiper 565
Posts: 2,681
Re: OpenCPN Homepage hacked

Quote:
Originally Posted by nohal View Post
The site is not hacked. There is just someone posting automatic spam into the news section of it for the past few weeks, which is allowed by design and technically we were just lucky nobody did it before. The captcha the website uses should certainly be hardened to stop it. There is nothing to worry for the downloads, which are also hosted on a completely separate CDN.
An F rating in the scan posted seems quite common, and irrelevant to what's happening.

Yes, opencpn.org needs some more care, yes, it is generally nice to use encryption everywhere, no this is not the end of the world.

Pavel
I agree that no, it's not a hack and does not necessarily mean that your site's user data are vulnerable.

But from a user perspective, it's like puke on the floor of a restaurant. Not a good experience for users. Someone needs to grab a mop ASAP and clean it up
__________________
Lake-Effect is offline   Reply With Quote
Old 28-08-2016, 17:03   #20
Registered User
 
rgleason's Avatar

Join Date: Mar 2012
Location: Boston, MA
Boat: 1981 Bristol 32 Sloop
Posts: 8,007
Re: OpenCPN Homepage hacked

What I don''t like about it at all, is the possibility of malicious editing. That would really be a problem, and we have tons of bots and spammers who are logged in now.

Thomas. perhaps you can advise. How do these intruders get deleted?
Who volunteers to help and be a janitor or sorts to help clean this up?

Also who will volunteer to make an ironclad Captcha or to suggest a very very good one that can be deployed ASAP so all the clean up effort does not become endless.!
__________________
rgleason is offline   Reply With Quote
Old 28-08-2016, 18:47   #21
Marine Service Provider
 
bdbcat's Avatar

Join Date: Mar 2008
Posts: 4,654
Re: OpenCPN Homepage hacked

Rick....

Working on this now. There are lots of things that can be done to filter bots, etc. It can all be fixed, just takes time and the right login creds.

Patience....
Dave
__________________
bdbcat is online now   Reply With Quote
Old 28-08-2016, 19:40   #22
Registered User

Join Date: May 2015
Location: Auckland, NZ
Boat: Bristol Channel Cutter
Posts: 124
Re: OpenCPN Homepage hacked

Quote:
Originally Posted by CarCode View Post
It seems the official OpenCPN homepage is hacked.
Open this link and see for yourself: | Official OpenCPN Homepage

Especially Windows users should be warned to download anything from OpenCPN | Official OpenCPN Homepage

This website is not a safe address. Safe websites uses instead https:// and not http:// as opencpn.org does.

Gerhard
My day job involves cyber security, so I'll explain a few things.

While you're correct that https is something all sites should use, it does not make it safe. https only encrypts the communication between your browser and the server. This prevents someone in the middle sniffing the traffic.

Even if a server uses https it does not mean that the site is not malicious. If you think all sites that use https is safe you're likely to run into trouble. Usually what it means is that the owner of the site has been verified to some extent. It does not mean the site wasn't compromised and had malicious code injected into it.

As to the claim that the site was hacked, you've provided no hard evidence. The lack of https is not an indicator that it's been compromised, it just means that the traffic is public and not private. So it's probably not a good idea to use your only password on that site since it can be discovered by packet sniffing.

Correction: I see the screen shot now.

That's an injection attack, it can be performed on sites that use https as well, I know I've done it many times on customer systems.
__________________
Eben is offline   Reply With Quote
Old 28-08-2016, 19:52   #23
Registered User

Join Date: May 2015
Location: Auckland, NZ
Boat: Bristol Channel Cutter
Posts: 124
Re: OpenCPN Homepage hacked

Quote:
Originally Posted by nohal View Post
Gerhard...
Could you please elaborate on how "Furthermore all data of users registered to opencpn.org can be stolen"? This is spam, nothing more, nothing less. Annoying it is, that's for sure.

Thank you

Pavel
While Gerhard wasn't quite correct regarding the site being unsafe is is absolutely correct that the user's login's and passwords can be sniffed by a man in the middle attack (lack of https).

Having said that from a quick inspection the site is running on php so it's highly likely there's some vulnerability somewhere, php is very hard to secure properly.

It's quite simple, don't use the same credentials you use all over the place (you should use unique passwords for all sites, well pass phrases actually). Also you do have a disposable email address for this type of this right?
__________________
Eben is offline   Reply With Quote
Old 29-08-2016, 01:23   #24
Registered User

Join Date: Jul 2010
Location: Monastir, Tunisia
Boat: Westerly Pentland
Posts: 1,665
Re: OpenCPN Homepage hacked

Quote:
Originally Posted by Eben View Post
My day job involves cyber security, so I'll explain a few things.

While you're correct that https is something all sites should use, it does not make it safe. https only encrypts the communication between your browser and the server. This prevents someone in the middle sniffing the traffic.

Even if a server uses https it does not mean that the site is not malicious. If you think all sites that use https is safe you're likely to run into trouble. Usually what it means is that the owner of the site has been verified to some extent. It does not mean the site wasn't compromised and had malicious code injected into it.

As to the claim that the site was hacked, you've provided no hard evidence. The lack of https is not an indicator that it's been compromised, it just means that the traffic is public and not private. So it's probably not a good idea to use your only password on that site since it can be discovered by packet sniffing.

Correction: I see the screen shot now.

That's an injection attack, it can be performed on sites that use https as well, I know I've done it many times on customer systems.
If you are a security expert you know very well that every system can be hacked. It is only the question how easy it is. That has shown the FBI attemps to hack an iPhone without success but "Pegasus" has had this success recently.
OpenCPN is a target which might be interesting for certain people to harm it. Although the software itself is very vulnerable it does not matter so much because the software is mostly used at sea without internet access. However its website should have some simpel security e.g. to prevent visitors being infected.
The first step is using https, then HTTP Strict Transport Security (HSTS) header should be implemented, Content Security Policy (CSP) headers should be implemented, checking redirections not to redirect to a non-https page, implement X-Content-Type-Options header, implement X-Frame-Options (XFO) header and implement X-XSS-Protection header.

Once this has been done the first simpliest things are done. Until then especially Windows users should avoid to visit this website. This event has shown that for a long time no administrator ever has checked this website. A very bad reputation for OpenCPN.

Gerhard
__________________
CarCode is offline   Reply With Quote
Old 29-08-2016, 01:46   #25
Registered User

Join Date: May 2015
Location: Auckland, NZ
Boat: Bristol Channel Cutter
Posts: 124
Re: OpenCPN Homepage hacked

Quote:
Originally Posted by CarCode View Post
If you are a security expert you know very well that every system can be hacked. It is only the question how easy it is. That has shown the FBI attemps to hack an iPhone without success but "Pegasus" has had this success recently.
OpenCPN is a target which might be interesting for certain people to harm it. Although the software itself is very vulnerable it does not matter so much because the software is mostly used at sea without internet access. However its website should have some simpel security e.g. to prevent visitors being infected.
The first step is using https, then HTTP Strict Transport Security (HSTS) header should be implemented, Content Security Policy (CSP) headers should be implemented, checking redirections not to redirect to a non-https page, implement X-Content-Type-Options header, implement X-Frame-Options (XFO) header and implement X-XSS-Protection header.

Once this has been done the first simpliest things are done. Until then especially Windows users should avoid to visit this website. This event has shown that for a long time no administrator ever has checked this website. A very bad reputation for OpenCPN.

Gerhard
Ok I guess we're having a measuring contest....

Those are all valid points, but it doesn't prevent some simple school boy hacks to be done. A simple LFI or even better RFI can still be performed on a site that has all of the above implemented. I know I've done it many times.

I don't disagree with the fact that the site is vulnerable, heck if you can get me a signed piece of paper giving me permission to prove it, I will...

What I meant to say which may have gotten lost in the text is that https is not a measure of a safe site, it's easy to get free x509's for ssl...

I also agree that there's no reason for not having https in this day and age and it should be the standard.

Also initially I didn't notice the screenshot you posted, but you cited the lack of https as the reason why the site got hacked...

Again, I don't disagree that these things require fixing, but telling users that a site is safe because it has https is just plain wrong...

The internet is a big bad scary place once you see it for what it is! I'm fighting daily to try and educate users around this, things are not as binary as we'd like. It's really really hard to spot a bad site, sure things like https might be a hint, but that's assuming that users check the signatures and knows how to verify it. Assuming of course that their machines doesn't have bad root certs installed.

We can go on and on about these things if you like, bottom line is be careful how you go about explaining things to users. I'm still struggling to get users to realise complex 8 character passwords are not secure and longer pass phrases say 16+ characters are better. Some security expert told them a long time ago that this is the way to go, they are now stuck in that thinking...

Security is a moving target, teach vigilance rather than simple "rules of thumb".

So to re-iterate, I don't disagree that those things need to be in place, but it's not going to stop a mildly skilled attacker.

Also for the record OWASP top 10 does not mean the site is safe either...

__________________
Eben is offline   Reply With Quote
Old 29-08-2016, 02:02   #26
Registered User

Join Date: Jul 2010
Location: Monastir, Tunisia
Boat: Westerly Pentland
Posts: 1,665
Re: OpenCPN Homepage hacked

Obviously my english is really bad. I have said that every system can be hacked. But there is no reason to open it widely to every scripting kiddie.
That has been done here and no administrator has ever checked this site.

I hope you understand now what I have said.

Gerhard
__________________
CarCode is offline   Reply With Quote
Old 29-08-2016, 04:16   #27
Registered User
 
rgleason's Avatar

Join Date: Mar 2012
Location: Boston, MA
Boat: 1981 Bristol 32 Sloop
Posts: 8,007
Re: OpenCPN Homepage hacked

Its kind of wierd being online logged in to opencpn and of the five online users I am the only legit user. The rest are all hacking actively!
This can't be too good.
__________________
rgleason is offline   Reply With Quote
Old 29-08-2016, 04:20   #28
bcn
Registered User

Join Date: May 2011
Location: underway whenever possible
Boat: Rangeboat 39
Posts: 2,432
Re: OpenCPN Homepage hacked

Eben,

what about to help Dave to get the "holes" smaller?
Would be very appreciated.

Hubert
__________________
bcn is offline   Reply With Quote
Old 29-08-2016, 04:29   #29
Registered User

Join Date: May 2015
Location: Auckland, NZ
Boat: Bristol Channel Cutter
Posts: 124
Re: OpenCPN Homepage hacked

Quote:
Originally Posted by bcn View Post
Eben,

what about to help Dave to get the "holes" smaller?
Would be very appreciated.

Hubert
Way ahead of you, I've already offered to help with this particular issue...
__________________
Eben is offline   Reply With Quote
Old 29-08-2016, 04:32   #30
Registered User
 
rgleason's Avatar

Join Date: Mar 2012
Location: Boston, MA
Boat: 1981 Bristol 32 Sloop
Posts: 8,007
Re: OpenCPN Homepage hacked

Yes, Eben your thoughts on a better captcha too? If I can help with the mop up let me know
__________________

__________________
rgleason is offline   Reply With Quote
Reply

Tags
enc, opencpn

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Homepage OCPN 4.2 Aart K. OpenCPN 0 08-03-2016 06:39
What's with the homepage? Vasco Forum Tech Support & Site Help 7 02-10-2008 08:26
Homepage... rubinum General Sailing Forum 19 04-01-2005 13:03
ericson homepage grover2 General Sailing Forum 1 27-04-2004 11:51


Our Communities

Our communities encompass many different hobbies and interests, but each one is built on friendly, intelligent membership.

» More about our Communities

Automotive Communities

Our Automotive communities encompass many different makes and models. From U.S. domestics to European Saloons.

» More about our Automotive Communities

Marine Communities

Our Marine websites focus on Cruising and Sailing Vessels, including forums and the largest cruising Wiki project on the web today.

» More about our Marine Communities


Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -7. The time now is 18:22.


Google+
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Social Knowledge Networks
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.

ShowCase vBulletin Plugins by Drive Thru Online, Inc.