Visit our Popular Forums

seandepagnier · 28-08-2016, 05:51

Quote:

Originally Posted by cagney

The activity of each user is documented. If they have contributed to a illegitimate post -> delete them. This would probably cover the wast majority, if not everyone.

/Thomas

I tried to do that but I don't know how maybe I don't have permission?

CarCode · 28-08-2016, 05:56

Quote:

Originally Posted by nohal

The site is not hacked. There is just someone posting automatic spam into the news section of it for the past few weeks, which is allowed by design and technically we were just lucky nobody did it before. The captcha the website uses should certainly be hardened to stop it. There is nothing to worry for the downloads, which are also hosted on a completely separate CDN.
An F rating in the scan posted seems quite common, and irrelevant to what's happening.

Yes, opencpn.org needs some more care, yes, it is generally nice to use encryption everywhere, no this is not the end of the world.

Pavel

You are a little bit too careless. If anybody is able to misuse a website this website is hacked. Have you checked meanwhile every page of opencpn.org for cross side scripting or other malware tools? I'm sure you will even not recognize it. Furthermore all data of users registered to opencpn.org can be stolen.
To teach you something about security: The first step to do in such a case is to switch off the website immediately.

Gerhard

nohal · 28-08-2016, 06:23

Gerhard...
Could you please elaborate on how "Furthermore all data of users registered to opencpn.org can be stolen"? This is spam, nothing more, nothing less. Annoying it is, that's for sure.

Thank you

Pavel

Lake-Effect · 28-08-2016, 07:17

Quote:

Originally Posted by nohal

The site is not hacked. There is just someone posting automatic spam into the news section of it for the past few weeks, which is allowed by design and technically we were just lucky nobody did it before. The captcha the website uses should certainly be hardened to stop it. There is nothing to worry for the downloads, which are also hosted on a completely separate CDN.
An F rating in the scan posted seems quite common, and irrelevant to what's happening.

Yes, opencpn.org needs some more care, yes, it is generally nice to use encryption everywhere, no this is not the end of the world.

Pavel

I agree that no, it's not a hack and does not necessarily mean that your site's user data are vulnerable.

But from a user perspective, it's like puke on the floor of a restaurant. Not a good experience for users. Someone needs to grab a mop ASAP and clean it up

rgleason · 28-08-2016, 17:03

What I don''t like about it at all, is the possibility of malicious editing. That would really be a problem, and we have tons of bots and spammers who are logged in now.

Thomas. perhaps you can advise. How do these intruders get deleted?
Who volunteers to help and be a janitor or sorts to help clean this up?

Also who will volunteer to make an ironclad Captcha or to suggest a very very good one that can be deployed ASAP so all the clean up effort does not become endless.!

bdbcat · 28-08-2016, 18:47

Rick....

Working on this now. There are lots of things that can be done to filter bots, etc. It can all be fixed, just takes time and the right login creds.

Patience....
Dave

Eben · 28-08-2016, 19:40

Quote:

Originally Posted by CarCode

It seems the official OpenCPN homepage is hacked.
Open this link and see for yourself: | Official OpenCPN Homepage

Especially Windows users should be warned to download anything from OpenCPN | Official OpenCPN Homepage

This website is not a safe address. Safe websites uses instead https:// and not http:// as opencpn.org does.

Gerhard

My day job involves cyber security, so I'll explain a few things.

While you're correct that https is something all sites should use, it does not make it safe. https only encrypts the communication between your browser and the server. This prevents someone in the middle sniffing the traffic.

Even if a server uses https it does not mean that the site is not malicious. If you think all sites that use https is safe you're likely to run into trouble. Usually what it means is that the owner of the site has been verified to some extent. It does not mean the site wasn't compromised and had malicious code injected into it.

As to the claim that the site was hacked, you've provided no hard evidence. The lack of https is not an indicator that it's been compromised, it just means that the traffic is public and not private. So it's probably not a good idea to use your only password on that site since it can be discovered by packet sniffing.

Correction: I see the screen shot now.

That's an injection attack, it can be performed on sites that use https as well, I know I've done it many times on customer systems.

Eben · 28-08-2016, 19:52

Quote:

Originally Posted by nohal

Gerhard...
Could you please elaborate on how "Furthermore all data of users registered to opencpn.org can be stolen"? This is spam, nothing more, nothing less. Annoying it is, that's for sure.

Thank you

Pavel

While Gerhard wasn't quite correct regarding the site being unsafe is is absolutely correct that the user's login's and passwords can be sniffed by a man in the middle attack (lack of https).

Having said that from a quick inspection the site is running on php so it's highly likely there's some vulnerability somewhere, php is very hard to secure properly.

It's quite simple, don't use the same credentials you use all over the place (you should use unique passwords for all sites, well pass phrases actually). Also you do have a disposable email address for this type of this right?

CarCode · 29-08-2016, 01:23

Quote:

Originally Posted by Eben

My day job involves cyber security, so I'll explain a few things.

While you're correct that https is something all sites should use, it does not make it safe. https only encrypts the communication between your browser and the server. This prevents someone in the middle sniffing the traffic.

Even if a server uses https it does not mean that the site is not malicious. If you think all sites that use https is safe you're likely to run into trouble. Usually what it means is that the owner of the site has been verified to some extent. It does not mean the site wasn't compromised and had malicious code injected into it.

As to the claim that the site was hacked, you've provided no hard evidence. The lack of https is not an indicator that it's been compromised, it just means that the traffic is public and not private. So it's probably not a good idea to use your only password on that site since it can be discovered by packet sniffing.

Correction: I see the screen shot now.

That's an injection attack, it can be performed on sites that use https as well, I know I've done it many times on customer systems.

If you are a security expert you know very well that every system can be hacked. It is only the question how easy it is. That has shown the FBI attemps to hack an iPhone without success but "Pegasus" has had this success recently.
OpenCPN is a target which might be interesting for certain people to harm it. Although the software itself is very vulnerable it does not matter so much because the software is mostly used at sea without internet access. However its website should have some simpel security e.g. to prevent visitors being infected.
The first step is using https, then HTTP Strict Transport Security (HSTS) header should be implemented, Content Security Policy (CSP) headers should be implemented, checking redirections not to redirect to a non-https page, implement X-Content-Type-Options header, implement X-Frame-Options (XFO) header and implement X-XSS-Protection header.

Once this has been done the first simpliest things are done. Until then especially Windows users should avoid to visit this website. This event has shown that for a long time no administrator ever has checked this website. A very bad reputation for OpenCPN.

Gerhard

Eben · 29-08-2016, 01:46

Quote:

Originally Posted by CarCode

If you are a security expert you know very well that every system can be hacked. It is only the question how easy it is. That has shown the FBI attemps to hack an iPhone without success but "Pegasus" has had this success recently.
OpenCPN is a target which might be interesting for certain people to harm it. Although the software itself is very vulnerable it does not matter so much because the software is mostly used at sea without internet access. However its website should have some simpel security e.g. to prevent visitors being infected.
The first step is using https, then HTTP Strict Transport Security (HSTS) header should be implemented, Content Security Policy (CSP) headers should be implemented, checking redirections not to redirect to a non-https page, implement X-Content-Type-Options header, implement X-Frame-Options (XFO) header and implement X-XSS-Protection header.

Once this has been done the first simpliest things are done. Until then especially Windows users should avoid to visit this website. This event has shown that for a long time no administrator ever has checked this website. A very bad reputation for OpenCPN.

Gerhard

Ok I guess we're having a measuring contest....

Those are all valid points, but it doesn't prevent some simple school boy hacks to be done. A simple LFI or even better RFI can still be performed on a site that has all of the above implemented. I know I've done it many times.

I don't disagree with the fact that the site is vulnerable, heck if you can get me a signed piece of paper giving me permission to prove it, I will...

What I meant to say which may have gotten lost in the text is that https is not a measure of a safe site, it's easy to get free x509's for ssl...

I also agree that there's no reason for not having https in this day and age and it should be the standard.

Also initially I didn't notice the screenshot you posted, but you cited the lack of https as the reason why the site got hacked...

Again, I don't disagree that these things require fixing, but telling users that a site is safe because it has https is just plain wrong...

The internet is a big bad scary place once you see it for what it is! I'm fighting daily to try and educate users around this, things are not as binary as we'd like. It's really really hard to spot a bad site, sure things like https might be a hint, but that's assuming that users check the signatures and knows how to verify it. Assuming of course that their machines doesn't have bad root certs installed.

We can go on and on about these things if you like, bottom line is be careful how you go about explaining things to users. I'm still struggling to get users to realise complex 8 character passwords are not secure and longer pass phrases say 16+ characters are better. Some security expert told them a long time ago that this is the way to go, they are now stuck in that thinking...

Security is a moving target, teach vigilance rather than simple "rules of thumb".

So to re-iterate, I don't disagree that those things need to be in place, but it's not going to stop a mildly skilled attacker.

Also for the record OWASP top 10 does not mean the site is safe either...

CarCode · 29-08-2016, 02:02

Obviously my english is really bad. I have said that every system can be hacked. But there is no reason to open it widely to every scripting kiddie.
That has been done here and no administrator has ever checked this site.

I hope you understand now what I have said.

Gerhard

rgleason · 29-08-2016, 04:16

Its kind of wierd being online logged in to opencpn and of the five online users I am the only legit user. The rest are all hacking actively!
This can't be too good.