Ubuntuforums.org Hacked 146
satuon writes "The popular Ubuntu Forums site is now displaying a message saying there was a security breach. What is currently known: Unfortunately the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database. The passwords are not stored in plain text. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP. Ubuntu One, Launchpad and other Ubuntu/Canonical services are NOT affected by the breach."
Ummm... (Score:2)
I'd change my password if there were a way to do it.
Re:Ummm... (Score:5, Funny)
Reminds me of an old joke: a man looks glum, his friend asks what's wrong.
The man says "I got a call from some guy, he said to stop sleeping with his wife or he'd kill me."
Friend "Oh, that's too bad."
Man: "The worst part is, he didn't say who his wife was."
Re: (Score:1)
Oh, yeah, here's a link. I guess it was Charlie's wife. Thanks.
Re: (Score:3)
I did, but they were all out of browser passwords. I did get two security questions for the price of one, which was nice.
Re: (Score:1)
apt get mypassword or sudo get my password
Re: (Score:2)
Re: (Score:2)
Re:Ummm... (Score:5, Interesting)
Re:Ummm... (Score:4, Insightful)
Transmitting passwords in cleartext over email is an absolutely terrible practice, and is only made slightly worse by doing so when account holders may not realize anything has happened and thus may be significantly delayed in visiting their accounts to change their passwords once again.
Re: (Score:1)
Re: (Score:1)
*shrug*
There isnt any better way to do it.
If you post a link, your screwed too, anyone can click on it to reset the password.
If you dont scramble the passwords, and make everyone change it on re-login, then the hackers can do that too.
If the password to a service is sent in the clear to your email, anyone who manages to get read access to your email also gets access to that service. Even if he isn't the one who originally cracked the password of the service. That's worse than if only the original hackers can do so.
Not everyone has a public key or cell phone (Score:2)
The link can be made such that it only works once.
For the attacker before the mail even gets to the intended user.
The email can be sent encrypted to your public key.
For those people who have the discretionary income to fly to key signing parties.
The pasword-change code can be sent to your cellphone number
For people who already pay hundreds of dollars a month for cell phone service. A lot of households still share a POTS house phone among members because it's cheaper than a cell phone with unlimited minutes per person.
Re: (Score:1)
Same AC.
That wasn't intended to be an exhaustive list, just a proof by contradiction that the OP was incorrect when he or she said, "there isnt any better way to do it."
I know that providing secure account-recovery options for public websites is hard. If you want to be able to do better than plaintext passwords though email, it is likely to require some additional development prior to the breach.
Sending a plaintext password through email has the following bad properties (non-exhaustive):
1. Anyone between th
Re: (Score:2)
Most of the general public don't understand any of the other options. The idea of a password reset link via email is that you use this password TEMPORARILY to get access to the account only. So. Click password reset link, keep email program open, wait for email, log in and reset password. If someone is that sophisticated that they can sniff my email on the way through, recognise a forum login and log into it before I do whilst i'm sitting here waiting for the reset email, they can have it.
Banks? Yes
You need a phone number to sign up for Facebook (Score:2)
BTW: Some people don't have cellphones.
Some people don't have Internet. In any case, you already need your own phone number to sign up for Facebook unless you still have access to a university e-mail address.
Re: (Score:2)
Re: (Score:2)
People who don't have Internet rarely signup on random websites, so I fail see your point.
Some might claim that people with home Internet are more likely to have a cell phone.
I don't really care what you need to signup on Facebook. We're talking about ubuntuforums.org.
One of the possibilities was that ubuntuforums.org might either A. adopt similar auth to Facebook or B. just rely on Facebook login.
Re: (Score:2, Flamebait)
My first thought: "Oh crap, that's me." I use a few passwords across multiple sites, basically determining how unique and how complicated by how much I consider a breach a danger and how much I trust the site to keep the password info secure. Generally, I hate forums that build their own password systems rather than using OpenID or Google Sign In or even Facebook login, and don't trust them much. Still, I tend to trust Unix minded people to care about security.
This means I might have been silly enough to us
Re: (Score:2)
Generally, I hate forums that build their own password systems rather than using OpenID or Google Sign In or even Facebook login
This shopping cart [philshobbyshop.com] uses OpenID and Google sign-in, but OpenID sign-in doesn't work for Yahoo! because Yahoo!'s OpenID provider uses redirects for the verification step and PHP cURL doesn't follow redirects if an open_basedir is set.
Re: (Score:2)
Re: (Score:2)
- The OMG I'm screwed bucket. Things like your financial passwords, administration account and primary email account passwords. Those should be memorable, complex (mix of upper/lower/numbers at a minimum), as long as reasonably possible (at least 10-12 chars, 15-18 would be better). Don't ever reuse one of those elsewhere. If you save them to a file, use a text file where you have pasted in a GPG encryption ASCII encoded block. Never save them i
Re: (Score:2)
S**t happens. I keep my passwords in an encrypted safe on my desktop machine and when I get a chance to update my Ubuntu forums password, I will.
I've had worse stuff happen to me. I figure to save my annoyance chips for something important.
Re: (Score:1)
However a lot of people seem to not understand that thats quite useless in and of itself.
The best case is if they were using a salted lossy hash system.
Its counter-intuitive, but throwing away part of the hashed value actually increases user security because more possible hash collisions means that the actual password the user chose is obscured in instances such as this. Thats exactly how UNIX DES password systems worked in the days when
Re: Ummm... (Score:1)
Throwing away part of the hash value does very little to improve security. The likelihood of two short (15 char) ASCII strings hashing to the same value even if shortened is small.
Re: (Score:2)
Ah, that makes sense.
And if you had even 10 passwords that hashed the same, you'd still be able to tell the real password from the gobbledygook of the others (unless they were randomly chosen).
And anyway, other systems that used the same hashing technique would still be vulnerable to each of the lot of colliding passwords.
When a server authenticates to another server (Score:2)
Re: (Score:1)
They got encrypted passwords?
Or, far more likely, whoever said that wasn't being super-pedantic with terminology and actually meant hashed.
Re: (Score:1)
Actually, a cryptographic hash could be considered lossy encryption.
Re: (Score:3)
"The passwords are not stored in plain text."
Re: (Score:2, Interesting)
Ubuntu forum sounds like the Linux Mint forum - can never change password, or much else that matters. I recall registering on Ubuntu, so I had better check on this!
BTW, I have reason to suspect that LM forum has also been hacked - at least 3 months ago. An email address that never got spam and was used to register there, is starting to collect spam....
Re: (Score:3)
It would be nice however if when they put up the announcement page, thus taking Ubuntu Forums off-line that they also give us a link to a page or other device to change our password.
I'm not too terribly concerned about changing that password right away.
What would be nice is if when this happens, companies would tell users HOW the passwords were being stored. "Not plain text" isn't nearly enough information. Should I discover that my password there is also used on other sites, it would be nice to be able to guage the level of urgency that is appropriate for changing the password on those other sites. Should I expect my password to be cracked in 5 minutes or 5 days? Can I do my passw
Re: (Score:1)
If they were using vbulletin defaults the answer is md5(md5(password) . salt)
The problem I have is I don't know if I had an account on the forums or if I did, what the password was. So until they bring it back up I won't know if I need to change any other passwords.
Re: (Score:2)
This is why using a password manager is a good idea. Just pick a secure one.
Without a good password manager, it is virtually impossible to practice good password procedures. (long, non-dictionary passwords. unique passwords for every site, etc....)
The one that I use not only has a pretty good password generator, but will also warn me about sites that I'm using the same password on, and provide me with a list of other sites where I'm using that password. So for me, the problem you're describing took abou
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
I wouldn't mind being him. His bank account is a *LOT* better than mine.
Re: (Score:2)
Re:That's what you get for running Ubuntu (Score:5, Informative)
Um, what? For the base server install you get no network services installed whatsoever (not even SSHd). As for size, a base install of the current server version of Ubuntu is ~64MB of disk space IIRC. That's hardly what I'd call bloated.
Re: (Score:1)
Except that like its parent operating system, Debina, *no one* euses the base install.
That's Debian! Deb + Ian!
... aptitude for package management (which brings in X windows)...
No, it doesn't.
Why bring in aptitude? (Score:2)
aptitude for package management (which brings in X windows)
Why bring in aptitude? I thought that from the command line, apt-get did the same thing.
Talking about a "base install" for such a system is like talking about [camping]
How much does OpenSSH + the basic LAMP stack add to the base install?
Re:That's what you get for running Ubuntu (Score:4, Insightful)
Should have used Windows. (Score:2, Offtopic)
I Guess these guys should have used Windows.
Bla Bla Bla...
Really Folks the OS or how the software is license doesn't equate to security or quality. Treat every system that is open to the outside world as potentially vulnerable to attack and make sure your logins and passwords are completely encrypted even in your database. If you can see then it is vulnerable. As well you better be sure you use some salting in your hashing as well
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
passwords are rarely in plain text. the issue is if it's not salted then the passwords can be discovered by looking at a precalculated table (rainbow table). so it would be useful to know whether or not it's salted
Re: (Score:1)
It isn't useful at all. For all you know the attackers could be bruteforcing your salted password hash right now, so the only sane thing to do is change the password.
Re:Should have used Windows. (Score:4, Interesting)
The important thing is that the hash is lossy so that even if salt+"abc613" hashes to the value in the database, that there is no reason to believe that "abc613" was actually the password the user was using.. He could have been using "manbearpig", for example. This is a case where longer hash values actually helps the hacker/cracker.
I dont pretend to know what the optimal size of the stored hash should be in order to protect the users passwords, but I think its almost certainly less than 32 bits. 32-bits is wide enough that attempting to find a hash collision at the login prompt is still silly, while also making the information gleaned from a brute force attack of the hash values almost useless.
Re: (Score:2)
Which is going to have fewer collisions and which will take longer to brute-force?
Except that when someone brute forces that 512 bit hash, the they know the exact password because the password wasnt anywhere near as long as the damn 64 byte hash.
That then leads to every place that the user used the password being vulnerable. In other words, you did not do the user a favor by using the 512 bit hash. You instead fucked the user over by using a 512 bit hash because the only thing you did was slow the attacker down. You didnt do due diligence to prevent the attacker from knowing the passw
Re: (Score:2)
I use 512 bit SHA2 with a 256 bit hashed salt and have had zero issues.
A 25 GPU setup has been benchmarked at 63 billion SHA hashes per second.
How long are these passwords? 8 characters, with uppercase, lowercase, numeric, and a few symbols? yeah.. thats search space is about 2^48 in size. it is irrelevant that you used a 256-bit hash in that regard.
Upper bound on brute forcing an 8-character SHA hashed password is 4467 seconds. The problem is that there will be exactly 1 result after the entire 8-character brute force because you used a 256-bit hash, and that 1 result wi
Re: (Score:2)
32 bits is small enough that an offline attack with a stolen password file will succeed.
Offline attacks will always succeed because the search space is smaller than you think. 8 character alphanumeric with a few symbols is about 48 bits of entropy supplied by the user. A 25 GPU setup has been clocked at 63 billion SHA hashes per second, so about a 4467 second upper limit to the time it takes to try 100% of the possibilities.
Re:Should have used Windows. (Score:4, Interesting)
No, because cracking passwords, even salted one, is ridiculously easy. Hell, take a well salted database, a stolen password list, and a way to compute the password. You can probably find a good chunk of accounts with the basic set of passwords.
Salting just prevents the use of rainbow tables, which means cracking passwords takes a few hours instead of a few seconds. Hell, you probably could use one of those bitcoin miner ASICs to do it - cracking passwords is really just computing hashes, and the R&D in computing hashes faster and faster means hashed and salted passwords are getting easier to crack.
Ars Technica details it better.
http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/ [arstechnica.com]
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ [arstechnica.com]
Re: (Score:3, Informative)
Here you go, tlhIngan. If it's so easy, provide the password or a collision in the next 3 days.
tlhIngan:$6$PsLtDfSP$SISVIa7tbcxdIN6StnZMF.l6Vw1/mZFIrKmNUAidG7k090l5bLUqBZF/ItMU2A0RzhHQyMnH40t67tIVl.6VB0:15907:0:99999:7:::
I'll even cheat and tell you it's a combination of upper, lower, punctuation and numbers...
Re: (Score:2)
cracking passwords, even salted one, is ridiculously easy
Not necessarily true.
If the user has used a very common password, then it's likely.
However if it's an uncommon password that's hashed using something like bcrypt [wikipedia.org] with a decent number of rounds, then it's far from "ridiculously easy".
Re: (Score:2)
Can these devices be used for anything else like password cracking? A No, their function is limited to high speed encryption validation in the specific double step sha256 protocol. It's not useful for any purpose related to rainbow tables or password recovery.
http://www.butterflylabs.com/bitforce-sc-faq/ [butterflylabs.com]
Re: (Score:2)
This kind of breach is usually just bugs in the forum software or the server software they run on.
Re: (Score:2)
Re: (Score:1)
It probably wasn't much better than that. Don't know if it's still current, but the Javascript of their login form used to do this:
<form id="navbar_loginform" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)" method="post" action="login.php?do=login">
Password Policy (Score:2)
Re: (Score:2)
Does anyone remember what password policy the forums had, trying to work out which password I was using for it.
It's probably the one in your sig.
Forums the new lowest hanging fruit (Score:1)
Forum attacks have increased in recent years and it seems to be the newest go-to vulnerability. This is not platform specific so no need to just bash Linux or even Ubuntu specifically. Really, its time for people to get serious about Forums and mailing list software where security is concerned. All of us know forum software is among the most used and abused software out there but mostly just underfunded. I invite all of you progressive thinkers out there to take this staple of development and communication
Password policy (Score:5, Interesting)
You'd hope so. That would be standard policy you'd assume by now (hashes are easy), but apparently it's still important to mention this given there are still way too many outfits storing plain-text passwords in their systems.
I remember reading the following advice - if you're unsure about the security of any company with whom you've got a password-secured account with, just check to see if they have some kind of password recovery link on their login page. Normally these links should email you with a temporary password so you can make a new one, but if they happen actually email you with your actual password... RUN!!!
Re: (Score:3, Informative)
I remember reading the following advice - if you're unsure about the security of any company with whom you've got a password-secured account with, just check to see if they have some kind of password recovery link on their login page. Normally these links should email you with a temporary password so you can make a new one, but if they happen actually email you with your actual password... RUN!!!
Because that's a totally accurate way of judging their security. Sarcasm aside, it's possible to use hashes badly (like unsalted MD5) and it's possible to encrypt passwords so that they're secure in the database and yet still retrievable (because the vast majority of attacks involve revealing database information, not executing code or downloading files).
Guess what the best advice is? Use a different password for every site.
Re: (Score:2)
Guess what the best advice is? Use a different password for every site.
I ran out of memory at 65536. I guess I'm just 16 bits wide.
Re: (Score:2)
and it's possible to encrypt passwords so that they're secure in the database and yet still retrievable
No. Just no. It is not possible to ENCRYPT the passwords so that they are secure. Encryption is the WRONG TOOL for storing passwords, because with encryption then is ultimately unencryptable and therefore someone can know for certain what your password is.
To be quite specific, I want there to be billions of "passwords" that hash to the same value thats in their database for my account, so that even when an attacker finds a collision he still won't know what I fucking use for a password.
Re: (Score:3)
This is the finding the needle in a stack of needles approach to password protection.
Re: (Score:2)
Your sarcasm was misguided anyway. The point is that if your original password can be sent to you in an email, it means they must be storing the password in plain-text anyway - if they're doing that, it doesn't bode well for the rest of their security implementations.
Re: (Score:2)
Don't worry about it. He accused me of being young and naieve about computers (which is interesting, since I code on FPGAs for a living), as if he's some amazing gift to the computing world.
I fucking hate people who talk down strangers like this.
Re: (Score:1)
RUN!!!
Do that help?
Re: (Score:2)
Me too I use:
passSlashdot
passUbuntu
passGmail
etc.
4 years?! In the future?! (Score:1)
It took 4 years after they were notified until they took the site down, in the future.
Re: (Score:2)
Re: (Score:2)
Radical technology, indeed. Paper.. (Score:1)
Re: (Score:2, Insightful)
Re: (Score:3, Informative)
Wrong [wikipedia.org]
Re: (Score:2)