• Effective immediately we will be deleting, without notice, any negative threads or posts that deal with the use of encryption and streaming of scanner audio.

    We've noticed a huge increase in rants and negative posts that revolve around agencies going to encryption due to the broadcasting of scanner audio on the internet. It's now worn out and continues to be the same recycled rants. These rants hijack the threads and derail the conversation. They no longer have a place anywhere on this forum other than in the designated threads in the Rants forum in the Tavern.

    If you violate these guidelines your post will be deleted without notice and an infraction will be issued. We are not against discussion of this issue. You just need to do it in the right place. For example:
    https://forums.radioreference.com/rants/224104-official-thread-live-audio-feeds-scanners-wait-encryption.html

Security Incident - Please Change Your Password

Status
Not open for further replies.

blantonl

Founder and CEO
Staff member
Joined
Dec 9, 2000
Messages
9,231
Location
San Antonio, TX
Everyone,

We've recently received reports of scammers emailing our members with bitcoin extortion attempts. We've identified that hackers were able to download email addresses and encrypted passwords from our database for a number of our users and use that information in these emails.

We believe we have identified the problem and fixed the vulnerability on the site, however we request that you change your password on the site as soon as possible.

Note that no credit card information, premium payment details, or other information is believed to have been exposed through this security incident. Additionally, RadioReference does not and never has stored plain-text passwords anywhere on the site or in the database.

What happened

Hackers exploited an SQL Injection vulnerability on the site to download approximately 25% of our members email addresses and encrypted passwords. The hackers were then able to decrypt some of those passwords. The hackers then emailed some of these members with extortion demands for Bitcoin payment.

Technical Details

A query field on the RadioReference Mobile site m.radioreference.com was not properly sanitizing data (specifically, the ?fid=### field), which allowed hackers to craft a specific query to trick the page into retrieving a user's email address and encrypted password. We believe that about 25% of all our user accounts were affected, based on analysis of our logs.

The vulnerability that was exploited for this incident was fixed during a cursory code review on July 12th 2019. We were not aware at the time that it was being actively exploited.

Passwords were encrypted with the MD5 hashing algorithm and basic salt. The hackers were able to decrypt some of those passwords and then email the users indicating they knew what their passwords were.

Moving Forward
  • All users should immediately change their password to upgrade the security on their stored password
  • The site has been upgraded to use an extremely strong password hashing mechanism based on bcrypt, which greatly reduces the ability to decrypt a user password.
  • We are continuing code reviews and firewall configurations to prevent this from occurring again
  • We will soon expire and reset all user's passwords who have not changed and updated their password to use the new hashed method

Thank you for your patience and our apologies for the problems.

Lindsay
 

citiot

Member
Premium Subscriber
Joined
Feb 8, 2007
Messages
49
Don't forget to change your passwords on other sites if you use the same password on accounts like bank and credit cards.
 

chaycock

Member
Joined
Oct 28, 2002
Messages
107
Location
Columbus, GA
Interesting that they were able to do so seeing that Salt was used....that should have thwarted a traditional rainbow/brute-force attack.
 

iscanvnc2

Member
Joined
Nov 13, 2012
Messages
57
Location
Ventura, CA
  • We will soon expire and reset all user's passwords who have not changed and updated their password to use the new hashed method
I updated last night approx 2330 hrs PDT. Does this meet new criteria?
 

blantonl

Founder and CEO
Staff member
Joined
Dec 9, 2000
Messages
9,231
Location
San Antonio, TX
Changing your account password updates it everywhere (RadioReference, Broadcastify, Forums, Wiki etc)

The new password scheme was rolled out today (8/24/2019) at about 3:40 PM CDT, so if you haven't changed your password after then you need to.
 

tfranklinh

Newbie
Premium Subscriber
Joined
Jul 17, 2012
Messages
1
Location
Ellicott City, MD
I concur with @LEH. Thank you for your quick response and advice. My history with InfoSec can confirm that prompt notification and action on PWs is the safest way to mitigate damages. Well worth my subscription fee! (y)

Great work and happy listening.
 

simpilo

Member
Joined
Sep 18, 2018
Messages
663
Location
Oklahoma City,OK
I checked the email I put on my RR account. nothing in spam nothing in inbox. always a blank slate. I don't use that email address registering online accounts much. I think RR is the only site i used that email address with.
 

W8RMH

Feed Provider Since 2012
Premium Subscriber
Joined
Jan 4, 2009
Messages
7,965
I changed my password now RR won't except it, nor will the site send me a reset email.
 

mtindor

OH/WV DB Admin
Database Admin
Joined
Dec 5, 2006
Messages
7,409
Location
Carroll Co OH / EN90LN
Lindsay,

Can you tell us what the real character limit is on passwords? This is not obvious on the password change page, which looks like it displays a field length of 20.

thanks

Mike
 

kd8twg

Member
Premium Subscriber
Joined
Jun 20, 2011
Messages
49
Location
Cleveland, Ohio
Hashing is not the same as encryption, and you’re doing the right thing by hashing passwords.


But seriously, how in 2019 were you still using MD5? It’s been considered insecure for years now.
 

mechanic

Member
Joined
Jun 20, 2003
Messages
17
I received one of those extortion attempts . It is titled Save yourself . It says they have your password and and your accounts and have been accessing your camera . I changed my password immediately . Hard to believe people can be so disgusting.
 

clbsquared

Member
Premium Subscriber
Joined
Oct 13, 2015
Messages
498
Location
Isle of Wight County
A major incident such as this should probably be communicated via direct message or email to every user. This thread will not necessarily be seen by every user.
Agreed. This is a major breach of security. Notification of such activity should have been done in a more personal manner. I found out about it from another site. Very poor communication of the event from the admin team here at RR.
 

pinarello

Member
Premium Subscriber
Joined
Oct 23, 2009
Messages
15
Location
Princeton, NJ
Wow, as a CISO, this was a negligence gap in you cyber defenses. The SQL Injection vulnerability is so old and easily exploited. Vulnerability and Penetration testing would have detected this, did you not conduct this type of testing before a "cursory code review " found it maybe months after the exploit? What are you going NOW to mature your cyber security controls?

As noted in another comment, you need to be transparent on this matter and advise all of your Users about this Incident not just in this forum. Has your legal team reviewed, as you may have to reporting requirements to a few State Attorney Generals on this breach? Get your PR team going....
 
Status
Not open for further replies.
Top