Jump to content
Brian Enos's Forums... Maku mozo!

USPSA passwords database has been hacked

Stan-O
 Share

Recommended Posts

Last_Mile2002 Looks for Range

Last_Mile2002

Posted
Posted

Don't get too excited regarding the current USPSA management and start looking for a scapegoat, this may have been going on for years. Stuxnet freaked people out a couple a years ago and now Regin is freaking people out this week. Putting anything on the internet, you generally have to assume it is insecure. Unless you strongly encrypt at the source, tunnel through a VPN and decrypt at the destination, your data is not secure. Anything that is convenient, not requiring you to be an active participant, is probably compromised now or will be in the next year or two.

Just be very careful.

Certificate Authorities - VeriSign, DigiNotar, KPN and others hacked.

OpenSSH - early versions hacked

Windows 95 to present - ALL versions of windows have an "in plain site security issue". (CVE-2014-6332)

There are many others. Treat your personal data just as money left on a table at a restaurant, anybody can see it, the honest people will remain honest, but you don't know after you leave. (No traces leading back to you either.)

Link to comment
Share on other sites
  • Replies 157
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

peterthefish Finally read the FAQs

peterthefish

Posted
Posted

Don't get too excited regarding the current USPSA management and start looking for a scapegoat, this may have been going on for years. Stuxnet freaked people out a couple a years ago and now Regin is freaking people out this week. Putting anything on the internet, you generally have to assume it is insecure. Unless you strongly encrypt at the source, tunnel through a VPN and decrypt at the destination, your data is not secure. Anything that is convenient, not requiring you to be an active participant, is probably compromised now or will be in the next year or two.

Just be very careful.

Certificate Authorities - VeriSign, DigiNotar, KPN and others hacked.

OpenSSH - early versions hacked

Windows 95 to present - ALL versions of windows have an "in plain site security issue". (CVE-2014-6332)

There are many others. Treat your personal data just as money left on a table at a restaurant, anybody can see it, the honest people will remain honest, but you don't know after you leave. (No traces leading back to you either.)

This is a red herring. Yes, even well protected data is vulnerable (ie Target, Home Depot) but USPSA didn't have the data well protected only to be thwarted by a group of expert hackers. They left the doors unlocked and three weeks of newspapers on the steps.

Link to comment
Share on other sites
Stan-O Looks for Match

Stan-O

Posted
  • Author
Posted

Don't get too excited regarding the current USPSA management and start looking for a scapegoat, this may have been going on for years.

It's like saying don't blame the last person who didn't lock the door leaving the office which got robbed, because there're lock picks.

Link to comment
Share on other sites
CZinSC Finally read the FAQs

CZinSC

Posted
Posted

This happening doesn't really surprise me. My two cents, but USPSA has a problem with where they are at now as an organization. We started as a volunteer organization and the huge amount of work needed to make the organization work is still done by volunteers. RO's, Match Directors, set up and tear down crews, Area Directors, Section Coordinators etc. The problem, again just my view, is that USPSA relies too heavily on volunteers for some critical things they shouldn't. Much of our IT was done on a volunteer basis by Rob Boudrie and others. As much as I like Rob (and I don't believe he is in any way responsible for the password issue) there are certain things you really need to pay for and maintain control over. Holding up a 40K project for almost a year while waiting for a volunteer to finish his part of the job is no way to run a business. Having people with attitudes that do nothing to promote USPSA and in fact drive members away, but excusing their conduct because they volunteer their time is no way to run a business. For that matter, having paid employees that are not fulfilling their obligations or are not the best people to have in those positions, but excusing it because they are our friends or are part of the "USPSA Family" is a sure way to run any business into the ground. I think that's the rub. There are more members on the BOD that don't think USPSA is a business and still treat it like it is a volunteer based organization. Until that paradigm shifts and people are held accountable for their missteps instead of being excused because they didn't charge us anything for their screw up, or because we like her as a person, screw ups will continue. Why would anyone expect anything different unless something changes?

Agree with this 100%.

Link to comment
Share on other sites
JulieTheCat Looks for Range

JulieTheCat

Posted
Posted

Any idea what this means? I get it everytime I try to reset the pw on uspsa.

Warning: mysql_pconnect() [function.mysql-pconnect]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EST/-5.0/no DST' instead in/home/uspsa/public_html/Connections/USPSAStaffApps.php on line 9

Warning: mysql_pconnect() [function.mysql-pconnect]: Can't connect to MySQL server on 'uspsa.org' (114) in /home/uspsa/public_html/Connections/USPSAStaffApps.php on line 9

Warning: trigger_error() [function.trigger-error]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EST/-5.0/no DST' instead in/home/uspsa/public_html/Connections/USPSAStaffApps.php on line 9

Fatal error: Can't connect to MySQL server on 'uspsa.org' (114) in /home/uspsa/public_html/Connections/USPSAStaffApps.php on line 9

Link to comment
Share on other sites
Shadowrider Finally read the FAQs

Shadowrider

Posted
Posted

What a pain in the ass!

I didn't use that password on anything financial but it was a similar scheme but a bit stronger. I said screw it. I installed Lastpass and now ALL my passwords are gibberish. I'll never remember a single one! But they are backed up on a memory stick in an Excel file. This just sucks...

Link to comment
Share on other sites
NewColonial Looks for Match

NewColonial

Posted
Posted

Two days ago they dumped the SQL table structure to the web site. Now we're getting error messages posted. The USPSA membership roster would be a big score for anti-gun activists. I don't see why the site isn't taken offline until USPSA can guarantee the security of the site. Attempting to apply fixes on a live site, with live data, is just stupid.

Link to comment
Share on other sites
NewColonial Looks for Match

NewColonial

Posted
Posted

Is the membership renew page not working for anybody else ????

I am getting a "This webpage is not available"

I get:

Fatal error: Cannot break/continue 1 level in /home/uspsa/public_html/uspsa-join-renew.php on line 141

Probably not a good time to be giving USPSA any personal or financial information anyway. :-)

Link to comment
Share on other sites
Stan-O Looks for Match

Stan-O

Posted
  • Author
Posted

Oh, so you guys actually got the password reset links? I've requested them a few times, never got an e-mail. Checked spam folder of course (because really, why wouldn't the password reset link end up in spam folder, right?) and nothing.

Link to comment
Share on other sites
BritinUSA Beyond it All

BritinUSA

Posted
Posted

I did not get mine either. I think I have two email addresses coded somewhere, my old one and the new one that I am using now. I suspect that it is reading the old email address and because its no longer valid then I don't get the email.

Did you change your email address since you joined USPSA ??

Link to comment
Share on other sites
Stan-O Looks for Match

Stan-O

Posted
  • Author
Posted

No, not really. Funny thing is, after I've discovered the hack/leak I've logged in and changed my password immediately (I'm a club contact). Now my membership is expiring, the club registration is expiring and I can't do anything about it online. I guess it's time to switch to snail mail.

Link to comment
Share on other sites
wgnoyes Finally read the FAQs

wgnoyes

Posted
Posted

Any idea what this means? I get it everytime I try to reset the pw on uspsa.

Warning: mysql_pconnect() [function.mysql-pconnect]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EST/-5.0/no DST' instead in/home/uspsa/public_html/Connections/USPSAStaffApps.php on line 9

Warning: mysql_pconnect() [function.mysql-pconnect]: Can't connect to MySQL server on 'uspsa.org' (114) in /home/uspsa/public_html/Connections/USPSAStaffApps.php on line 9

Warning: trigger_error() [function.trigger-error]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EST/-5.0/no DST' instead in/home/uspsa/public_html/Connections/USPSAStaffApps.php on line 9

Fatal error: Can't connect to MySQL server on 'uspsa.org' (114) in /home/uspsa/public_html/Connections/USPSAStaffApps.php on line 9

This is still going on today when you try to go to your user profile page.

Link to comment
Share on other sites
blueeyedme Finally read the FAQs

blueeyedme

Posted
Posted

I hope everyone has made sure their USPSA PW was changed anywhere else that it might have been used. Since the site was hacked/published, there have been attempts to access my Microsoft email from Thailand, Indonesia, Chile, Bangladesh, Dominican Republic, Italy, Chicago & Russia. Fortunately, I did not use the same pw for my email or anywhere else.

Link to comment
Share on other sites
j2fast Finally read the FAQs

j2fast

Posted
Posted

I don't think anyone else posted this, folks may want to check out https://pwnedlist.com. It's a service that will tell you if any of your email addresses, etc have been part of a public data breach. The site/service has been featured by a number of major publications and is used by Lastpass which I use for password management

Since I've received nothing about the breach from the USPSA, I wasn't sure what email address I had used for the USPSA site and as a bonus the reset password option has yet to work for me. So I plugged a couple of the likely addresses into pwnedlist and sure enough, one came back as part of the USPSA breach.

I feel like I'm just piling on at this point but as someone that advises firms on IT matters, I don't think this whole thing could have been handled more poorly by the USPSA.

Link to comment
Share on other sites
Jeff9mmM&P Looks for Range

Jeff9mmM&P

Posted
Posted

No, not really. Funny thing is, after I've discovered the hack/leak I've logged in and changed my password immediately (I'm a club contact). Now my membership is expiring, the club registration is expiring and I can't do anything about it online. I guess it's time to switch to snail mail.

My membership expired on 11/30. I called HQ today and was able to pay over the phone.

Link to comment
Share on other sites
Stan-O Looks for Match

Stan-O

Posted
  • Author
Posted

No, not really. Funny thing is, after I've discovered the hack/leak I've logged in and changed my password immediately (I'm a club contact). Now my membership is expiring, the club registration is expiring and I can't do anything about it online. I guess it's time to switch to snail mail.

My membership expired on 11/30. I called HQ today and was able to pay over the phone.

Thanks, I'll call them tomorrow.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing


×
×
  • Create New...