Potential Database Breach

[rhino74]

In response to post #31586835. #31595470, #31596950 are all replies on the same post.

Krazeecain wrote: "If you've ever wondered why some sites ask you to have at least 1 number and one "special" character, this is why. It makes passwords a lot harder to crack (and yes, we'll implement these forced requirements soon, too). "

NONONONO! Don't do this. This is a horrible practice and it needs to be eradicated. Using longer passwords made of random unrelated words is much more secure, and much easier for people to remember.

https://xkcd.com/936/

(Did I just cite a webcomic as a source? Yes. Yes I did.)

umiluv wrote: I believe it's good to have a mix of both. I like to make small phrases using L33T to get the numbers in and add special characters as required. Then you have a phrase that's easy to remember AND you have the number and special character requirement as well.

FredNotBob wrote: And any properly-programmed dictionary-based cracking system will chew through those 'random' words in a matter of -hours-.

Use longer passwords, by all means, but don't assume that 'purplemonkeydishwasher' is going to be too hard for a computer to break.

create a type of mnemonic acronym from sentence.. like ..purple dishwashing monkey saw seven stars, can you believe it ! = PdMS7*cYbi!

[gunmetaljoe]

Please send an email to all registered accounts. I would not have known about this breach had I not been looking for a Fallout 4 mod by change (haven't been on the site in years).

 

I believe it's the responsible thing to do.

 

Best of luck.

[rhino74]

In response to post #31573045. #31573920, #31573935, #31575350, #31575375, #31581750, #31584915, #31585005, #31586510, #31587355, #31590785, #31592405, #31596110 are all replies on the same post.

Dark0ne wrote: The three files affected were:

- Higher Settlement Budget (downloads from 5th December)
- Rename Dogmeat (downloads from 4th December)
- BetterBuild (downloads from 29th November)

OP updated to include that information.

ZedLeppelin wrote: Thank you for that info! I'm happy to say I downloaded/installed none of those 3 mods. I changed my Nexus p/w regardless, just to be safe.

Hickory wrote: That dsound.dll file should be sent away to all AV companies that participate in Virus Total for manual investigation. Relying on existing heuristics is not doing anybody any good, especially since these files are extremely suspect to begin with and have not been tagged by the scans.

spidermandala wrote: Thanks so much for giving us the heads up Dark0ne, I too luckily didn't pick any of these up but Ill be double vigilant now.

RaverWolfe wrote: I actually downloaded the Rename Dogmeat one, I'll change all my s#*! asap just incase.

adventnova wrote: glad i never downloaded those files.

sydney666 wrote: Thanks for the update...

Any news on synlSDLL.dll? This file and some program triggered my UAC and installed a touchpad service without me having such hardware. I don't know if the program acted as though it was a touchpad and thus my pc needed to install this service or if the actual file was a virus...once I uninstalled everything, no virus was found on my pc.

I have since cleaned my system, but it was a little difficult as the program would not uninstall by normal means aka control panel.

Very odd, but I am glad you are getting this under control.

sonkaro wrote: Lets just hope it is just FO4 mods being affected. Thousands upon thousands could be affected if they touch Skyrim, Oblivion, and many of the other games Nexus hosts.

But alas, only time will tell. Thank you for taking the time to preemptively warn us.

RealmEleven wrote: There is nothing wrong with Higher Settlement Budget. I've been using it without problem ever since I found it (and I've been checking nexus daily since I got my mits on FO4) so I don't think I would have missed any fun and games, if any.

Also, I eyeballed the files inside the archive. Two XML files, two BAT files and a text file. None of these five files show any unnecessary code, much less anything potentially suspicious.

I don't think your database is compromised. If it was, we'd all be getting the same problem from the same mods. One of your informants on this thread mentioned Windows Defender catching malware in the browser but not in the file system. While I haven't had that experience, it's worth pointing out that I'm a premium member so I don't see your ads. Put these three facts together and it's pretty obvious where the potential issue is.

Your site's only as secure as its weakest channel. If you can't vet every single advertisement that gets piped onto your site, before it is allowed to be displayed on your site, then you can't prevent hackers from abusing that channel. After all, the only way launch a driveby off a site without hacking that site's hosting server is to buy or steal advertising space on the advertising channel used by that site. Given the facts, that's the first place I'd look for a problem.

One other thing: Including birthdays as a field in your account database makes your site's accounts a jackpot for identity thieves. In countries like Australia and, I suspect, throughout all the Commonwealth (British Colonies) a date of birth is an all access pass to a person's life, identity and property. One way to make a significant improvement to a site's security is to make a point of excluding all sensitive information like this.

Anyways, I'll shut down cycle my disks for a dead system scan and see if anything interesting pops out of the woodwork. If I find anything, I'll let you know.

jipao wrote: i downloaded the higher settlement mod, and after this warning i already change all my password. what do i do next? should i uninstalled the mod or it already late to do that?

Zaldiir wrote: If the archive contained those files, you downloaded it before it was re-uploaded with the sound.dll file, so you are safe. :)

The specific names of the archives that contain this dll are:
BetterBuild-3002-1-2.zip
Higher Settlement Budget v1.3-818-1-3.zip
Rename Dogmeat-4507-1-0.zip

CatherineMartin wrote: I found dsound.dll in one of my Skyrim mods, not sure what, I just cleaned ALL 50 of them out, and am currently redownloading all of them, and checking them.

daftshadow wrote: Thanks for the list! Good thing I never downloaded these mods. Phew.

RealmEleven said

Including birthdays as a field in your account database makes your site's accounts a jackpot for identity thieves

Second that.. I cringe when public sites ask for that info..

[elrusho]

In response to post #31595455.

Brother Galahad wrote:

Thank you Dark0ne, your transparency and informative post is appreciated and a model action that all businesses and organisations should strive to emulate.

 

We ask that you please keep us updated on the situation as the vast majority of us hope you can squash this threat and come out better and more secure for going through this ordeal.

 

Props to you Dark0ne and best wishes

My sentiments exactly.

[cosmic94]

I was at work watching that reddit thread develop, you did a good job handling and addressing the issue with us. This is one of the reasons this site has gotten so successful.

 

As far as security goes, nothing will make this site 100% secure, it's simply gotten too big and popular for that. I work for one of the biggest tech companies in the world and know all about how this stuff works, so while it was good of you to warn us, you have nothing to apologize for:)

 

This stuff happens.

[thejiffiness]

Do you think, just to entertain the idea, that maybe its some past modders you made mad by your rules? I have heard that you guys can be ridiculous about some of the smallest rules (from a lot of modders not just a few) I have read the forums before and seen some questionable reason to ban people. I would think that banning people would be counterproductive to the "mod" website.

 

Before you get mad at me, I don't have a problem with you. I enjoy nexus mods but I thought maybe its something to consider. I don't care how mad I was at someone I would never hack someone. That is just too low for me to even consider. I guess what I am saying, is maybe you should look at some of the modders you could have banned (and maybe lighten up so you dont get more modders mad at you for petty things JUST reporting what I see.)

Edited December 7, 2015 by thejiffiness

[rhino74]

In response to post #31590135. #31592185, #31592550, #31594730 are all replies on the same post.

RealmEleven wrote: "That email" was meaningless and indicates nothing - particularly deferring to "trusted sources". People generally deploy appeal to authority arguments like those unspecified "trusted sources" when they're engaged in fraud or unwittingly propagating somebody-else's fraud. About the only exception I've encountered is when people idolize and try to emulate high status individuals who engage in dishonest behaviour (e.g. politicians, religious leaders, etc) and so blindly copy their style of argument without realizing how damning it is when heard by folks in the know about such things. Either way, that email's not worth considering simply for the lack of actionable facts. Dare I suggest the source-header might be far more informative than the body text. And If I were to guess ... I think the email a form of misdirection - I mean, you can see it's not pointing you to the facts you need in order to prevent a criminal act and if the email's author is in possession of any of those facts, that'd be aiding and abetting would it not?

Getting back to what the email isn't helping with, with respect to paragraph 5 of the OP, I don't agree that it's damning. It seems that your server logs confirm the account activity...? In absence of anything contradictory about the IP addresses connected with the activity, I think it will more than likely indicate a new bug going around and the users in question might want to pull their hard disks and have them scanned by a something up to date that is run from a nice fresh clean operating system which isn't used to do anything other than download AV updates and scan the hard disks removed from other systems. But I guess that's their call.

To the question of your server integrity, I downloaded a bunch of stuff yesterday and the day before and... well, if there's something lurking on your server, where's my copy of sound.dll? More to the point, if your server's been hacked, why distribute sound.dll with three mods that don't need sound (i.e. where the file really stands out like a house cat in an aquarium) instead of some of the many mods where the presence of a sound library might make sense (e.g. True Storms)? And why not hit Nexus Mod Manager? That has to have the largest audience. Anyways, dead system scan coming up while I have breakfast so if I find anything interesting I'll let you know.

For now, I think that a number of user accounts may have been compromised by malware probably originating with other sites and operating from the user systems in question. But I still think it's worth looking into how much control you really have over advertising content injected into your site by third party advertising channels.

Also, one really important detail concerning other people finding out about compromised accounts before you do; this will tend to happen anyway, but I think it may occur more often if you don't have a clear channel of communication (e.g. a site contact) accessible to people who cannot log in. If someone can't log in, can they lodge a support ticket? You still need to run email verification against password resets and the like, but if users who've lost access can't contact you, they will voice the issue elsewhere.

noparts wrote: Well, as I am reading this rather long thread, Malwarebytes' just interrupted me with this notification: "Malicious Website Blocked". Further, this is not the first time its happened on a Nexus site. In fact, most of you probably see (in the lower left section of the scren, url's that are flying by so fast, you can barely make out the shortest of lines. I realize it's intended and that most of them are surely legit; but, as for me, I'm a devout Fallout / Elder Scrolls fanatic. I'm also pretty anal about this crap (pun intended) since I recently got zapped and taken hostage by a so-called FBI office, for ransom! Almost a month, to get back up and running. Without paying the $200.US that they demanded.

So, I'm with what's-his-name, above; it's getting really hard to trust this site anymore - as well as many others! That said, I'm outta here. Oh, sorry, the block was:

"Protection, Malicious Website Protection, IP, 184.173.133.194, bidder.tlvmedia.com, 0, Outbound,
Detection, 12/6/2015 7:34:41 PM, SYSTEM, COMPUTERTWO, Protection, Malicious Website Protection, IP, 184.173.133.194, bidder.tlvmedia.com, 0, Outbound, "

(end)
From: Malwarebytes Anti-Malware
www.malwarebytes.org

noparts wrote: Sorry, I should have included the log:

Malwarebytes Anti-Malware
www.malwarebytes.org


Protection, 12/6/2015 4:50:37 PM, SYSTEM, COMPUTERTWO, Protection, Malware Protection, Starting,
Protection, 12/6/2015 4:50:37 PM, SYSTEM, COMPUTERTWO, Protection, Malware Protection, Started,
Protection, 12/6/2015 4:52:36 PM, SYSTEM, COMPUTERTWO, Protection, Malicious Website Protection, Starting,
Protection, 12/6/2015 4:53:22 PM, SYSTEM, COMPUTERTWO, Protection, Malicious Website Protection, Started,
Detection, 12/6/2015 7:34:41 PM, SYSTEM, COMPUTERTWO, Protection, Malicious Website Protection, IP, 184.173.133.194, bidder.tlvmedia.com, 0, Outbound,
Detection, 12/6/2015 7:34:41 PM, SYSTEM, COMPUTERTWO, Protection, Malicious Website Protection, IP, 184.173.133.194, bidder.tlvmedia.com, 0, Outbound,

(end)

utherix wrote: That message is because the ads on nexusmods sometimes redirect you to some shady s#*!.

RealmEleven,

Excellent observation. As a network IT pro I'd be skeptical of that email, too. However, I'm hopeful that Dark0ne as a site admin\owner is well aware of social engineering email trickery and isn't relying on an unknown party to feed his paranoia..

[Rooker75]

If you're a mod author, especially if you're like me and upload several files for several different games here, take a minute and go to Manage Your Files: http://www.nexusmods.com/skyrim/mods/manage/ . Show all files, sort them by upload date in descending order and just make sure nothing's been updated without your knowledge. Then check again for "Last Updated."

 

I've said it before in the modder subforum a couple years ago and unintentionally started a big argument, but I think this drives it home. Don't distribute regular mods with binary installers/uninstallers. Not only is it unnecessary and stupid for the reasons I gave back then, now there's this sort of thing to worry about.

Edited December 7, 2015 by Rooker75

[velinion]

In response to post #31586835. #31595470, #31596950, #31597315 are all replies on the same post.

Krazeecain wrote: "If you've ever wondered why some sites ask you to have at least 1 number and one "special" character, this is why. It makes passwords a lot harder to crack (and yes, we'll implement these forced requirements soon, too). "

NONONONO! Don't do this. This is a horrible practice and it needs to be eradicated. Using longer passwords made of random unrelated words is much more secure, and much easier for people to remember.

https://xkcd.com/936/

(Did I just cite a webcomic as a source? Yes. Yes I did.)

umiluv wrote: I believe it's good to have a mix of both. I like to make small phrases using L33T to get the numbers in and add special characters as required. Then you have a phrase that's easy to remember AND you have the number and special character requirement as well.

FredNotBob wrote: And any properly-programmed dictionary-based cracking system will chew through those 'random' words in a matter of -hours-.

Use longer passwords, by all means, but don't assume that 'purplemonkeydishwasher' is going to be too hard for a computer to break.

rhino74 wrote: create a type of mnemonic acronym from sentence.. like ..purple dishwashing monkey saw seven stars, can you believe it ! = PdMS7*cYbi!

It really depends on if you follow an obvious pattern in your number/character addition.

There are about 10,000 common English words (Closer to 30,000 total, but most conversations and books stay within the common 10k) so if you use four words, as in the comic, you get 10000^4 possible options. This means, on average, brute force would have to check half those. ~= 5x10^15

If you use an 8 character password that is NOT dictionary based, you have 26 lower case letters, 26 upper case letters, 10 numbers, and about 30 easily typed ASCII punctuation marks ( !@#$%^&*()-_=+[{]};:'",<.>/?\| ) giving us 92^8 possibilities, half of which (on average) an attacker would need to try, giving us ~ 2.6x10^15 (about half as strong as the four words.)

However, many people use longer passwords than this. My shortest passwords for unimportant sites are 8 characters, and tossing a couple extra characters in is relatively easy. Let's say we used a 10 character password, and again divide by two for the average guess: ~2,17x10^19, or about 5000x stronger than those four words.

Now, I realize that you could, theoretically, add more words, but most sites (sadly) limit maximum password length fairly aggressively, usually somewhere between 10 and 20 characters (this is a terrible practice, but sadly a reality) which makes more than a 4-5 word password very difficult. For most sites, expanding the characters provides better security than using a sentence.

[Deleted1123719User]

So should we be not downloading mods for a while?