I just noticed that the HRSA website is offline. Is this just a connection issue for the site or is there a problem with it?

This morning members were emailed this from the president:

"Ron our IT guru, found last night that the HRSA site had been hacked. He has worked all night on restoration."

Ahhh, serves me right for opening Edge before Outlook. My copy of the e-mail is indeed there.

Well, I know as well as anyone that this sort of thing can happen to any site. I hope they get the issue sorted soon and best of luck to them with what could be a difficult job.

Some idiot has done it again:

"The [HRSA] website has been attacked again, so it is down. We believe it's a younger person who is destroying pages for the fun of it, rather
than getting information. We will refer the matter to the Police Cyber Crime division."

It is a shame that someone(s) is doing this at all, but to a non-profit site with a small audience - one has to ask what is the point? It's particularly disappointing as information on up-coming auctions is due to be uploaded soon.

One has also got to ask about the mentality of those doing this. We keep getting told our medical records will be safe yet we have scammers ghosting telephone numbers, to use at will.

One finds the claim, by profit before people, that they cannot be traced & cut off, to be totally lacking in credibility: It comes down to money. Are they telling us that on a detailed account, all of those numbers that rang me are fictitious & put there by a random number generator, like the spammers are using? If the billing is recording all calls in & out and when, they must know which phone & where it is.

How come numbers not being used are accessible, not cut off? Is this how they make more money, or are they secretly losing it as no one is paying for it?

Really needs to be a Bank style inquiry into Phones & NBN.

It seems the HRSA site is like a house with an unlocked front door. That kind of thing may have been safe enough decades ago, but not any more. If they expect their site to survive, they need to take security seriously. In my opinion, they only have themselves to blame.

If they expect their site to survive, they need to take security seriously.

True but, as with most organisations run by volunteers, it's hard to find dedicated people with the requisite skills to put their hands up.

Robert, at the end of the day there is no such thing as a website that cannot be hacked. Anyone who makes an audacious claim of 100% security is just waving a red rag at a bull. There are many people in the world, perhaps many thousands, who know what they are doing when it comes to breaching the security of a web server.

No lock is unpickable. Some sites are certainly more secure than others. However there isn't one that cannot be breached by someone that knows how to do it. As much as we hope this sort of thing never happens here, I regret to advise that it certainly can happen here. Administrators and webmasters can try all they like, but there will always be someone who can turn good luck into bad.

This sort of thing can happen to the most basic website, with a handful of raw HTML pages or it can happen to a forum, shopping site or any other type of site and it can happen to sites hosted on a Windows or Unix server. Again, no site is immune if the hacker knows what he's doing.

To anyone that disputes what I am saying - if security can be improved to the point of 100% infallibility, come forward and show how it's done.

HRSA website is only one of many that has been hacked lately. On another forum I belong members have had their personal websites hacked, Wordpress blogs hacked the list goes on.

A computer IT member explained a lot of the hacking is done by automated spy bots set up by criminals which just sit there trawling endlessly all over the internet.
Just trying to break in and get passwords, credit card details etc.

There was a news story only a week ago about a lady whom had major repairs done to her house after a large storm. The bill from the builder came via email and the lady paid it in full electronically.
Only to find out that the builders website had been hacked, the crims were watching the progress of the repairs being done, and as soon as the work was finished sent off the bogus invoice complete with genuine looking letterhead.

The builder had no idea his company website had been hacked.

The lady went to the bank, the bank tried to recover the money but as the crims were offshore it came to a dead end.

This hapless single mother has lost the $14,500 entirely.

I rarely pay for anything on a vendor's website. I make sure I get their BSB and ACC numbers and pay from my bank's site. That way, if the money goes missing the bank has to find it. The other alternative is B-Pay and again, that's done from a bank's website. Paying by credit card comes with the ability to charge-back if the money was syphoned or just simply paid incorrectly or the direct debit was done wrongly for whatever reason.

The other issue, is as outlined by Simplex - all too often there are cases where the server owner simply doesn't know that security has been compromised. In many ways it is not possible to be aware and servers can be visited many times without anyone having a clue that it's happened. Without trusted eyes on servers and million-dollar IT budgets to support it and monitoring software, it's not possible.

Update:

QUOTE: The website is being rebuilt from scratch. This will take some time.

We now have a "gaol" This is a secure area. Ron is moving the site inside the "gaol" to deflect attacks. It will email our webmaster if anything suspicious happens.

Ron has a security expert associate assisting.

The hackers have now accessed the database, and they sent a mail-out.

(President: I didn't receive any message so my service provider must have a superior filter.)

Please do not to reply or fill in any confidential details to any emails from the HRSA and we recommend you change passwords.

Despite the above advice, of course you will be receiving normal emails from the HRSA, with no request for private info.

so look for warning signs,

• like the sender is not our addresses or

• the language is not good English, and

**** especially don't send any information in response to a request!! ****

Jail (yes, spelt incorrectly) is a common phrase used to refer to a secure part of a server. A fresh start may be a good thing for the site though whether that itself leads to a more secure site depends on how the hacker gained access. All websites have a front door and a back door. The back door is direct access to the server itself and the front door being some sort of insecure code on the website's pages or scripts.

As for the expectation that a fraudulent e-mail may be on its way, that may happen and the message Kevin was sending was probably more to warn people of the dangers of openly treating any and all e-mails as genuine. At my workplace (a national company with around 25,000 employees) we get a randomly timed test on this every six months. The IT department sends out an e-mail that purports to be from a leading popular company (bank, airline, supermarket, etc) which asks the user to click on a link and enter CC information or a username and password for a reward scheme, etc. Only about 70% of the staff pass the test by destroying the e-mail without clicking on links.

That is a high success rate when compared to benchmarks however that other 30% just don't seem to ever get the message. It never seems to occur to them that work e-mail addresses are usually not the normal destinations for such messages (most corporate IT policies prohibit it for a start) and security just goes over their heads.

It's the same with passwords. I know for a fact that a fair number of members here have passwords that do not meet the site's guidelines. Some people simply just do not care though and whilst a stolen account isn't really a hacking, it is still illegal and it still creates headaches for me because if a member with a stupid password does lose his account to a thief he will expect me to regain control of it and return rightful access to him. Whilst that isn't a difficult task, I'll be more likely to ban that user if I find that his password was inadequate as a demonstration of not only what I expect of members but to send a message that security on the Internet isn't a joke.

To confirm: I am yet to receive any of the bogus e-mails and for now, at least, this site is still secure. Let's hope it stays that way.

UPDATE: I can also confirm that the automated backing up of VR is also humming along nicely. The most comforting thing for any webmaster is knowing that there is more than one copy of the site and its database available, should anything go wrong. It is usually when things like this don't get done that trouble strikes.

So, it seems I was right - an insecure site. The move to make a walled-off area is a good start. Other things that could be done is to lock accounts that haven't been used for a predetermined time, and eventually to delete them after a further time. Prime examples would be the miriad of accounts that were created then never used or have 0 posts. I appreciate that some databases get upset if accounts are deleted, but locking should still be possible.

Next would be to enforce complex passwords, and force anyone without one to have to change it.

And lastly, for those that have to update pages remotely, this is usually done by FTP, and a simple password here exposes the entire site to the hacker. Brad is lucky is having his server local, so he doesn't need FTP. There's some tricks that can be done
- Get the password wrong 3 times in a row (or within a minute) and the account will be locked for a while.
- Or, get it wrong and it won't consider the next one for a second, Get it wrong again and it becomes 2 seconds, and it keeps doubling with each wrong guess. Attempts during the cutoff period will be considered as wrong, even if it was right. Hack robots will find it hard to get in with that kind of protection.
- Only allow one login of each account at a time.
- and much more...


Brad is perfectly right about some people's view of security - I know people who simply have no concept of it. Did you know that some important organisations still use NT as their basis of security? Imagine how many holes must have been found in that over the years, and will never be patched.

Only about 70% of the staff pass the test by destroying the e-mail without clicking on links.

On that basis, I'm not surprised that email scammers are still in operation.

And I still think vault would be a better term than gaol. The perpetrators belong in gaol.