Forgot your password?
typodupeerror
Security Ubuntu

Ubuntuforums.org Hacked 146

Posted by Soulskill
from the another-one-falls dept.
satuon writes "The popular Ubuntu Forums site is now displaying a message saying there was a security breach. What is currently known: Unfortunately the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database. The passwords are not stored in plain text. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP. Ubuntu One, Launchpad and other Ubuntu/Canonical services are NOT affected by the breach."
This discussion has been archived. No new comments can be posted.

Ubuntuforums.org Hacked

Comments Filter:
  • It's good the Ubuntu Forums has alerted us that this breach has occurred and that we need to change our passwords. It would be nice however if when they put up the announcement page, thus taking Ubuntu Forums off-line that they also give us a link to a page or other device to change our password.

    I'd change my password if there were a way to do it.
    • Re:Ummm... (Score:5, Funny)

      by interkin3tic (1469267) on Sunday July 21, 2013 @01:34AM (#44340365)
      Personally, I'm trying to remember which password I used on it.

      Reminds me of an old joke: a man looks glum, his friend asks what's wrong.
      The man says "I got a call from some guy, he said to stop sleeping with his wife or he'd kill me."
      Friend "Oh, that's too bad."
      Man: "The worst part is, he didn't say who his wife was."
      • by JustOK (667959)

        apt get mypassword or sudo get my password

      • by coastin (780654) *
        If you still don't remember your password send a password recovery request to the NSA. I understand they have great support for things we all loose track of.
      • by louic (1841824)
        No problem. Just wait until your password gets posted on pastebin.
    • Re:Ummm... (Score:5, Interesting)

      by davetv (897037) on Sunday July 21, 2013 @02:14AM (#44340467)
      I wonder when they are going to email the userbase with this announcement. I have received no email from them. Perhaps the hacker could alert the userbase as a community spirited gesture.
    • Re: (Score:2, Flamebait)

      by ancientt (569920)

      My first thought: "Oh crap, that's me." I use a few passwords across multiple sites, basically determining how unique and how complicated by how much I consider a breach a danger and how much I trust the site to keep the password info secure. Generally, I hate forums that build their own password systems rather than using OpenID or Google Sign In or even Facebook login, and don't trust them much. Still, I tend to trust Unix minded people to care about security.

      This means I might have been silly enough to us

      • by tepples (727027)

        Generally, I hate forums that build their own password systems rather than using OpenID or Google Sign In or even Facebook login

        This shopping cart [philshobbyshop.com] uses OpenID and Google sign-in, but OpenID sign-in doesn't work for Yahoo! because Yahoo!'s OpenID provider uses redirects for the verification step and PHP cURL doesn't follow redirects if an open_basedir is set.

      • by smash (1351)
        I used to do the same. However, what you are doing doesn't scale. You can't remember all the passwords, and certainly not enough to really be secure. And if you need to change one? It's a pain in the arse. So... don't try and do something impossible. Use a password manager, so you can use fully random passwords of the strongest length available on each site, and reset them without having to reprogram your brain. Keepass is free and open source.
      • You need to segregate your passwords into a few buckets:

        - The OMG I'm screwed bucket. Things like your financial passwords, administration account and primary email account passwords. Those should be memorable, complex (mix of upper/lower/numbers at a minimum), as long as reasonably possible (at least 10-12 chars, 15-18 would be better). Don't ever reuse one of those elsewhere. If you save them to a file, use a text file where you have pasted in a GPG encryption ASCII encoded block. Never save them i
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Ubuntu forum sounds like the Linux Mint forum - can never change password, or much else that matters. I recall registering on Ubuntu, so I had better check on this!

      BTW, I have reason to suspect that LM forum has also been hacked - at least 3 months ago. An email address that never got spam and was used to register there, is starting to collect spam....

    • by bonehead (6382)

      It would be nice however if when they put up the announcement page, thus taking Ubuntu Forums off-line that they also give us a link to a page or other device to change our password.

      I'm not too terribly concerned about changing that password right away.

      What would be nice is if when this happens, companies would tell users HOW the passwords were being stored. "Not plain text" isn't nearly enough information. Should I discover that my password there is also used on other sites, it would be nice to be able to guage the level of urgency that is appropriate for changing the password on those other sites. Should I expect my password to be cracked in 5 minutes or 5 days? Can I do my passw

      • by Anonymous Coward

        If they were using vbulletin defaults the answer is md5(md5(password) . salt)

        The problem I have is I don't know if I had an account on the forums or if I did, what the password was. So until they bring it back up I won't know if I need to change any other passwords.

        • by bonehead (6382)

          This is why using a password manager is a good idea. Just pick a secure one.

          Without a good password manager, it is virtually impossible to practice good password procedures. (long, non-dictionary passwords. unique passwords for every site, etc....)

          The one that I use not only has a pretty good password generator, but will also warn me about sites that I'm using the same password on, and provide me with a list of other sites where I'm using that password. So for me, the problem you're describing took abou

    • by smash (1351)
      Presumably, they mean to change your password if you use the same one on other sites. The site itself is likely OFFLINE for forensic analysis. Install a password manager (I use both 1passord and Keepass - keepass is open source, cross platform and free, so no excuse). Make all passwords 100% random and unique. Move on.
  • I Guess these guys should have used Windows.
    Bla Bla Bla...

    Really Folks the OS or how the software is license doesn't equate to security or quality. Treat every system that is open to the outside world as potentially vulnerable to attack and make sure your logins and passwords are completely encrypted even in your database. If you can see then it is vulnerable. As well you better be sure you use some salting in your hashing as well

    • The "strongly encouraged to change the password on the other service" bit is perhaps an open admission that they didn't salt; or maybe it's an admin lacking knowledge of the salt/no-salt situation and playing it safe by warning users. Still disappointing.
      • by HJED (1304957)
        Or just being safe even if the passwords are salted, given that in the same line it also says that the passwords were not in plaintext.
        • passwords are rarely in plain text. the issue is if it's not salted then the passwords can be discovered by looking at a precalculated table (rainbow table). so it would be useful to know whether or not it's salted

          • by Anonymous Coward

            It isn't useful at all. For all you know the attackers could be bruteforcing your salted password hash right now, so the only sane thing to do is change the password.

          • by Rockoon (1252108) on Sunday July 21, 2013 @05:38AM (#44340931)
            Salting helps against rainbow tables, but its irrelevant to the integrity of the password itself.

            The important thing is that the hash is lossy so that even if salt+"abc613" hashes to the value in the database, that there is no reason to believe that "abc613" was actually the password the user was using.. He could have been using "manbearpig", for example. This is a case where longer hash values actually helps the hacker/cracker.

            I dont pretend to know what the optimal size of the stored hash should be in order to protect the users passwords, but I think its almost certainly less than 32 bits. 32-bits is wide enough that attempting to find a hash collision at the login prompt is still silly, while also making the information gleaned from a brute force attack of the hash values almost useless.
      • by tlhIngan (30335) <(ten.frow) (ta) (todhsals)> on Sunday July 21, 2013 @02:45AM (#44340571)

        The "strongly encouraged to change the password on the other service" bit is perhaps an open admission that they didn't salt; or maybe it's an admin lacking knowledge of the salt/no-salt situation and playing it safe by warning users. Still disappointing.

        No, because cracking passwords, even salted one, is ridiculously easy. Hell, take a well salted database, a stolen password list, and a way to compute the password. You can probably find a good chunk of accounts with the basic set of passwords.

        Salting just prevents the use of rainbow tables, which means cracking passwords takes a few hours instead of a few seconds. Hell, you probably could use one of those bitcoin miner ASICs to do it - cracking passwords is really just computing hashes, and the R&D in computing hashes faster and faster means hashed and salted passwords are getting easier to crack.

        Ars Technica details it better.
        http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/ [arstechnica.com]

        http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ [arstechnica.com]

        • Re: (Score:3, Informative)

          by Anonymous Coward

          Here you go, tlhIngan. If it's so easy, provide the password or a collision in the next 3 days.

            tlhIngan:$6$PsLtDfSP$SISVIa7tbcxdIN6StnZMF.l6Vw1/mZFIrKmNUAidG7k090l5bLUqBZF/ItMU2A0RzhHQyMnH40t67tIVl.6VB0:15907:0:99999:7:::

          I'll even cheat and tell you it's a combination of upper, lower, punctuation and numbers...

        • by skegg (666571)

          cracking passwords, even salted one, is ridiculously easy

          Not necessarily true.

          If the user has used a very common password, then it's likely.

          However if it's an uncommon password that's hashed using something like bcrypt [wikipedia.org] with a decent number of rounds, then it's far from "ridiculously easy".

        • Butterfly Labs bit-miner kit faq would suggest that their ASIC chips can not be subverted into password cracking tools

          Can these devices be used for anything else like password cracking? A No, their function is limited to high speed encryption validation in the specific double step sha256 protocol. It's not useful for any purpose related to rainbow tables or password recovery.

          http://www.butterflylabs.com/bitforce-sc-faq/ [butterflylabs.com]

    • This kind of breach is usually just bugs in the forum software or the server software they run on.

  • Does anyone remember what password policy the forums had, trying to work out which password I was using for it.
    • by Pieroxy (222434)

      Does anyone remember what password policy the forums had, trying to work out which password I was using for it.

      It's probably the one in your sig.

  • by Anonymous Coward

    Forum attacks have increased in recent years and it seems to be the newest go-to vulnerability. This is not platform specific so no need to just bash Linux or even Ubuntu specifically. Really, its time for people to get serious about Forums and mailing list software where security is concerned. All of us know forum software is among the most used and abused software out there but mostly just underfunded. I invite all of you progressive thinkers out there to take this staple of development and communication

  • Password policy (Score:5, Interesting)

    by readingaccount (2909349) on Sunday July 21, 2013 @02:12AM (#44340457)

    The passwords are not stored in plain text

    You'd hope so. That would be standard policy you'd assume by now (hashes are easy), but apparently it's still important to mention this given there are still way too many outfits storing plain-text passwords in their systems.

    I remember reading the following advice - if you're unsure about the security of any company with whom you've got a password-secured account with, just check to see if they have some kind of password recovery link on their login page. Normally these links should email you with a temporary password so you can make a new one, but if they happen actually email you with your actual password... RUN!!!

    • Re: (Score:3, Informative)

      by Anonymous Coward

      I remember reading the following advice - if you're unsure about the security of any company with whom you've got a password-secured account with, just check to see if they have some kind of password recovery link on their login page. Normally these links should email you with a temporary password so you can make a new one, but if they happen actually email you with your actual password... RUN!!!

      Because that's a totally accurate way of judging their security. Sarcasm aside, it's possible to use hashes badly (like unsalted MD5) and it's possible to encrypt passwords so that they're secure in the database and yet still retrievable (because the vast majority of attacks involve revealing database information, not executing code or downloading files).

      Guess what the best advice is? Use a different password for every site.

      • by Pieroxy (222434)

        Guess what the best advice is? Use a different password for every site.

        I ran out of memory at 65536. I guess I'm just 16 bits wide.

      • by Rockoon (1252108)

        and it's possible to encrypt passwords so that they're secure in the database and yet still retrievable

        No. Just no. It is not possible to ENCRYPT the passwords so that they are secure. Encryption is the WRONG TOOL for storing passwords, because with encryption then is ultimately unencryptable and therefore someone can know for certain what your password is.

        To be quite specific, I want there to be billions of "passwords" that hash to the same value thats in their database for my account, so that even when an attacker finds a collision he still won't know what I fucking use for a password.

      • Your sarcasm was misguided anyway. The point is that if your original password can be sent to you in an email, it means they must be storing the password in plain-text anyway - if they're doing that, it doesn't bode well for the rest of their security implementations.

    • by aliquis (678370)

      RUN!!!

      Do that help?

  • From http://ubuntuforums.org/announce.html [ubuntuforums.org]...

    2013-07-20 2011UTC: Reports of defacement
    2013-07-20 2015UTC: Site taken down, this splash page put in place while investigation continues.

    It took 4 years after they were notified until they took the site down, in the future.

  • Wow. has *everybody* forgotten about plain old paper? I got sick of forgetting passwords, so wrote (printed, actually) them down on paper. I have a highly encrypted file where I store the digital master for reprinting or updates to the list. The only inconvenient bit about it is that i can't copy and paste from a paper list, and copy/paste is a secure way to enter a password.. it makes keyloggers useless. Don't lose the paper, or forget the master password for the digital backup, though. I did once ;-(

"One Architecture, One OS" also translates as "One Egg, One Basket".

Working...