Potential Database Breach

[RealmEleven]

In response to post #31597875.

thejiffiness wrote: Do you think, just to entertain the idea, that maybe its some past modders you made mad by your rules? I have heard that you guys can be ridiculous about some of the smallest rules (from a lot of modders not just a few) I have read the forums before and seen some questionable reason to ban people. I would think that banning people would be counterproductive to the "mod" website.

Before you get mad at me, I don't have a problem with you. I enjoy nexus mods but I thought maybe its something to consider. I don't care how mad I was at someone I would never hack someone. That is just too low for me to even consider. I guess what I am saying, is maybe you should look at some of the modders you could have banned (and maybe lighten up so you dont get more modders mad at you for petty things JUST reporting what I see.)

Well, if you want to profile the crooks involved, you might want to start with the timing and this attack isn't associated with a rule change. It's not even associated with the release of a full featured RPG that breaks some pretty surprising ground. Just a little late for that. It's associated with a milestone membership level reached by this site and, specifically, the new release game in play here at the time of the milestone. This kind of timing is aimed at the numbers; specifically, enough numbers to be statistically certain of cleaning out a few bank accounts. And speaking of numbers which also happen to be people, the attack's not aimed at the site but at the users. So, it's unlikely to be anything more complicated than Robin-Hood syndrome.

Now, there could be a political motive involved. There's a surprising number of people out there who simply can't accept the idea that it's ok for folks like us to play a computer game. They were campaigning to get first person shooters banned for donkey's years and now we have a bunch of nut-jobs trying to tell us that internet gaming is a mental illness - and there's been so little response to those guys that they've managed to get their mis-identification of a coping mechanism as a proposed mental illness classification into the "conditions for further study" section of current DSM-5 (it's on p. 795 for anyone who's wondering). Why nobody thought of "television-watching disorder", I guess we'll never know! :^)

[jipao]

In response to post #31573045. #31573920, #31573935, #31575350, #31575375, #31581750, #31584915, #31585005, #31586510, #31587355, #31590785, #31592405, #31596110, #31597525 are all replies on the same post.

Dark0ne wrote: The three files affected were:

- Higher Settlement Budget (downloads from 5th December)
- Rename Dogmeat (downloads from 4th December)
- BetterBuild (downloads from 29th November)

OP updated to include that information.

ZedLeppelin wrote: Thank you for that info! I'm happy to say I downloaded/installed none of those 3 mods. I changed my Nexus p/w regardless, just to be safe.

Hickory wrote: That dsound.dll file should be sent away to all AV companies that participate in Virus Total for manual investigation. Relying on existing heuristics is not doing anybody any good, especially since these files are extremely suspect to begin with and have not been tagged by the scans.

spidermandala wrote: Thanks so much for giving us the heads up Dark0ne, I too luckily didn't pick any of these up but Ill be double vigilant now.

RaverWolfe wrote: I actually downloaded the Rename Dogmeat one, I'll change all my s#*! asap just incase.

adventnova wrote: glad i never downloaded those files.

sydney666 wrote: Thanks for the update...

Any news on synlSDLL.dll? This file and some program triggered my UAC and installed a touchpad service without me having such hardware. I don't know if the program acted as though it was a touchpad and thus my pc needed to install this service or if the actual file was a virus...once I uninstalled everything, no virus was found on my pc.

I have since cleaned my system, but it was a little difficult as the program would not uninstall by normal means aka control panel.

Very odd, but I am glad you are getting this under control.

sonkaro wrote: Lets just hope it is just FO4 mods being affected. Thousands upon thousands could be affected if they touch Skyrim, Oblivion, and many of the other games Nexus hosts.

But alas, only time will tell. Thank you for taking the time to preemptively warn us.

RealmEleven wrote: There is nothing wrong with Higher Settlement Budget. I've been using it without problem ever since I found it (and I've been checking nexus daily since I got my mits on FO4) so I don't think I would have missed any fun and games, if any.

Also, I eyeballed the files inside the archive. Two XML files, two BAT files and a text file. None of these five files show any unnecessary code, much less anything potentially suspicious.

I don't think your database is compromised. If it was, we'd all be getting the same problem from the same mods. One of your informants on this thread mentioned Windows Defender catching malware in the browser but not in the file system. While I haven't had that experience, it's worth pointing out that I'm a premium member so I don't see your ads. Put these three facts together and it's pretty obvious where the potential issue is.

Your site's only as secure as its weakest channel. If you can't vet every single advertisement that gets piped onto your site, before it is allowed to be displayed on your site, then you can't prevent hackers from abusing that channel. After all, the only way launch a driveby off a site without hacking that site's hosting server is to buy or steal advertising space on the advertising channel used by that site. Given the facts, that's the first place I'd look for a problem.

One other thing: Including birthdays as a field in your account database makes your site's accounts a jackpot for identity thieves. In countries like Australia and, I suspect, throughout all the Commonwealth (British Colonies) a date of birth is an all access pass to a person's life, identity and property. One way to make a significant improvement to a site's security is to make a point of excluding all sensitive information like this.

Anyways, I'll shut down cycle my disks for a dead system scan and see if anything interesting pops out of the woodwork. If I find anything, I'll let you know.

jipao wrote: i downloaded the higher settlement mod, and after this warning i already change all my password. what do i do next? should i uninstalled the mod or it already late to do that?

Zaldiir wrote: If the archive contained those files, you downloaded it before it was re-uploaded with the sound.dll file, so you are safe. :)

The specific names of the archives that contain this dll are:
BetterBuild-3002-1-2.zip
Higher Settlement Budget v1.3-818-1-3.zip
Rename Dogmeat-4507-1-0.zip

CatherineMartin wrote: I found dsound.dll in one of my Skyrim mods, not sure what, I just cleaned ALL 50 of them out, and am currently redownloading all of them, and checking them.

daftshadow wrote: Thanks for the list! Good thing I never downloaded these mods. Phew.

rhino74 wrote: RealmEleven said

Including birthdays as a field in your account database makes your site's accounts a jackpot for identity thieves

Second that.. I cringe when public sites ask for that info..

i have similar file name, it's Higher Settlement Budget v1.3 NMM Edition-818-1-3.zip
yet i don't find any dsound.dll on my FO 4 folder and already searched my entire drive. but there are some in my windows folder. i'm i still screwed?

update: i finally found the source archive and it doesn't contain dsound.dll file despite the archive name and version Edited December 7, 2015 by jipao

[strazytski]

These hackers really do ruin things for everyone, makes sites like this difficult to maintain because you have to now pay large amounts of cash for protection from those wanting to DDOS and steal private information. If Dark0ne did not need to spend money on that i wonder what he could do with all that funds. could pay more people full time to work on NMM and make it extremely better. and the site not only more stable but be even better perhaps.

[Guddler]

In response to post #31586835. #31595470, #31596950, #31597315, #31599105, #31605860 are all replies on the same post.

Krazeecain wrote: "If you've ever wondered why some sites ask you to have at least 1 number and one "special" character, this is why. It makes passwords a lot harder to crack (and yes, we'll implement these forced requirements soon, too). "

NONONONO! Don't do this. This is a horrible practice and it needs to be eradicated. Using longer passwords made of random unrelated words is much more secure, and much easier for people to remember.

https://xkcd.com/936/

(Did I just cite a webcomic as a source? Yes. Yes I did.)

umiluv wrote: I believe it's good to have a mix of both. I like to make small phrases using L33T to get the numbers in and add special characters as required. Then you have a phrase that's easy to remember AND you have the number and special character requirement as well.

FredNotBob wrote: And any properly-programmed dictionary-based cracking system will chew through those 'random' words in a matter of -hours-.

Use longer passwords, by all means, but don't assume that 'purplemonkeydishwasher' is going to be too hard for a computer to break.

rhino74 wrote: create a type of mnemonic acronym from sentence.. like ..purple dishwashing monkey saw seven stars, can you believe it ! = PdMS7*cYbi!

velinion wrote: It really depends on if you follow an obvious pattern in your number/character addition.

There are about 10,000 common English words (Closer to 30,000 total, but most conversations and books stay within the common 10k) so if you use four words, as in the comic, you get 10000^4 possible options. This means, on average, brute force would have to check half those. ~= 5x10^15

If you use an 8 character password that is NOT dictionary based, you have 26 lower case letters, 26 upper case letters, 10 numbers, and about 30 easily typed ASCII punctuation marks ( !@#$%^&*()-_=+[{]};:'",<.>/?\| ) giving us 92^8 possibilities, half of which (on average) an attacker would need to try, giving us ~ 2.6x10^15 (about half as strong as the four words.)

However, many people use longer passwords than this. My shortest passwords for unimportant sites are 8 characters, and tossing a couple extra characters in is relatively easy. Let's say we used a 10 character password, and again divide by two for the average guess: ~2,17x10^19, or about 5000x stronger than those four words.

Now, I realize that you could, theoretically, add more words, but most sites (sadly) limit maximum password length fairly aggressively, usually somewhere between 10 and 20 characters (this is a terrible practice, but sadly a reality) which makes more than a 4-5 word password very difficult. For most sites, expanding the characters provides better security than using a sentence.

MJR wrote: This, very much this! If you absolutely must enforce password strength, make a password strength indicator that can also recognize that long passwords without numeric or special characters are strong. Don't simply require numeric and special characters. Eventually it will lead to passwords like p@ssw0rd, which doesn't really help much in the long run. I'm pretty sure even mynameisjohn is a much stronger password than p@ssw0rd, because 1337 speak mutations are quite common but AFAIK generating passwords from dictionaries of different languages is not so much.

Might I be so bold as to suggest that if you can remember your password then it's not strong enough? Go grab a password manager of some sort. There are plenty out there. I've been using 1Password for years (ever since it came out). All my passwords are long and random and I couldn't tell you what any of them are. OK, 1Password is relatively pricey but there are plenty of others, some of them even free.

[Helljumper1339]

So I found the file, what do I do now? I deleted it already and im currently running a security scan of EVERYTHING on my computer? Should I wipe and reset all my passwords?

 

[stainglasshart]

I've changed my password Dark0ne, thank you for keeping us informed. Forewarned is forearmed! :)

[Driz89]

So the dsound.dll in System 32 is safe right?

[xfillo91x]

Hello Nexus,

 

i've used your site hundres of times for downloading mods, but i never supported you directly with money.

i'm sorry to hear about this problem.

If this thing will cause you to spend a lot of money, why not set up a free donation system (like wikipedia for example)?

Considering that thanks to this site the longevity of my games has increased drastically, i'm ready to support you with a donation, if needed.

what do you think?

 

ps: sorry if my english was not perfect

[stainglasshart]

In response to post #31549740. #31549810, #31549880, #31561980, #31571205 are all replies on the same post.

Jokerine wrote: OH GOD. OH GOD. OKAY, MUST NOT PANIC, MUST NOT PANIC!

http://i.imgur.com/69zS5JG.gif

In all seriousness, thank you for the heads up, Dark0ne! Hope we can get to the bottom of this soon.

Insertnameplz wrote: PANIC PANIC PANIC!!! PANIC IN THE DISCO!

J Allin wrote: Don't panic Captain Mainwaring! Don't panic! Don't panic!! Don't Panic!!!

CreeperLava wrote: Oh, a fellow Stargate ! Hi !

setiweb wrote: See this is what happens when you host your site on Hillary's private server.

What?? Hilary who?

[tonypoo016]

In response to post #31608155.

xfillo91x wrote: Hello Nexus,

i've used your site hundres of times for downloading mods, but i never supported you directly with money.
i'm sorry to hear about this problem.
If this thing will cause you to spend a lot of money, why not set up a free donation system (like wikipedia for example)?
Considering that thanks to this site the longevity of my games has increased drastically, i'm ready to support you with a donation, if needed.
what do you think?

ps: sorry if my english was not perfect

You know that premium memberships are available, right? You can buy one from the Nexus Forums.