Security Report - Blog2019-11-20
Attacks are just a part of the modern Internet.
If you have a website, whether or not it even has a domain, you will come under attack almost as soon as the server becomes accessible.
For the most part, these attacks are defeated without any effort at all.
For some, you need a more considered approach.
Current State of Attacks
Since the server coming up in June, we've faced:
99,084 failed login attempts on the server (not the site).
- 4,037 of these were this month.
- 3,000 of these came from known hacker hotspots.
- Of the succesful logins, they all come from a single IP - that is, they are clearly legitimate.
7 DDoS attacks on the server.
- 2 of these were this month.
- 1 of these successfully prevent customers from connecting to SIXTEENmm.
- The downtime was 1 minute and 37 seconds, give or take 10 seconds for the defense propagation.
- The succesful attack was in May.
- 5 of these utilised swarms of servers coming from AWS, and were reported.
1.8 million failed login attempts on the site.
- Only a half-dozen of these were for existing users - it's reasonable to believe these 8 failed logins were actual customers who just failed to recall their password.
- The majority of these failed login attempts came from known hacker hotspots.
- There is no reason to believe a hacker has accessed a customer's account currently.
8 phishing attempts on our email
- As all our legitimate email comes GPG signed, there's no reason to believe this will ever be successful.
What You Need to Know
Part of SIXTEENmm's commitment to privacy means that we can't protect you in every case.
If you lose your password somewhere else, such as from a data breach, you can run into a problem.
We aren't tracking the IP addresses you commonly log in from.
If a new login comes out of the blue from a new location - we won't notice it.
That isn't to say there is no protection here. We have a current and frequently updated ban list against many IPs throughout the world. Most account-distributors that exist will fail to connect with us at all, and won't be able to log in to confirm the stolen account, before they pass it on to their customers.
This means you need to be proactive.
We already recommend you don't re-use your password, and make use of a password manager.
But, if the same password you use for SIXTEENmm is breached, then you need to change it as soon as possible.
Firefox and Chrome have integrated a service provided by HIBP to notify you when a particular email has been breached.
Make use of these services to find out when an email address has turned up, and change your password if it has.
It doesn't matter how complex or unguessable a password is if it has appeared in a data breach.
What if SIXTEENmm does get breached?
We lay out what we collect and how we protect it in our Security Policy.
But, if we were to be breached, then what a hacker would have access to is:
A SHA3 256bit hash of your username, but not the username.
- They would have to know the username to be able to confirm a username is linked to this account.
A salted & hashed Scrypt password.
- There's actually two salts in the database, but they could try both.
- Breaking this encryption would take a "very long time".
A blob made with a symmetric encryption scheme based around PBKDF2HMAC, AES CBC and HMAC 256 that contains your billing information. The key to unlock this isn't kept on the server.
- Cracking this would take a "very long time".
- We're required by law to keep this information for up to 7 years. It will be kept in encrypted form for that amount of time, unless a legal request is given to us to access the information.
A blob made with a symmetric encryption scheme based around PBKDF2HMAC, AES CBC and HMAC 256 that contains your email address. The key to unlock this isn't kept on the server.
- Cracking this would take a "very long time".
A timestamp from when you signed up. (Used to track when your free month expires). Accurate to the nearest second.
Whether your account is locked or not.
Either 'free', 'permafree', or a semi-random identifier, identifying what kind of account you have.
A list of your watching history, what you've listed for later, favourites, the things you've ignored, and so on. (You can clear these on the settings page.)
In short, if a hacker breached us they wouldn't have any information that would be "sellable" or worth anything.
- 2020-09-10 Experimental Interface
- 2020-06-26 Gunsmith Hits HD
- 2020-06-11 Creating Something From Nothing
- 2020-03-18 Filmscope Progress
- 2020-03-10 2019 Releases
- 2020-03-05 Downtime Postmortem
- 2020-02-12 Temporary Signup Problems
- 2020-02-12 Statistics
- 2020-02-01 Search Regression
- 2020-02-01 High Load DDoS Attack
- 2020-01-30 The Phantom reCreeps
- 2020-01-25 Simple is Best
- 2020-01-06 New Features
- 2020-01-04 Displaying Credit
- 2019-12-29 Performance Enhancements
- 2019-12-18 Experimental Rendering
- 2019-12-10 MPV Support
- 2019-12-03 Introducing Filmscope
- 2019-11-21 DDoS Attack
- 2019-11-20 Security Report
- 2019-11-20 Report
- 2019-10-21 The World of Preservation
- 2019-10-15 Endless Battle For Quality
- 2019-10-06 Giving Back
- 2019-10-02 What's in a Cookie?
- 2019-10-01 PGP
- 2019-09-28 SIXTEENmm