News:

SMF 2.1.6 has been released! Take it for a spin! Read more.

Main Menu

WARNING: 33.000 SMF password stolen and on the loose in Finland

Started by Surferbird, October 13, 2007, 04:35:18 PM

Previous topic - Next topic

Surferbird

Today news in finland tells that people should change their passwords all over.

In the actual file wich is public torrent file these guys tell that 80.000 list of
passwords and e-mail addresses cotain 33.000 SMF foorum hashes.
Is there some leak in this software or how is this possible?

I have read the list and i was not there, lucky me -
.:: Always something to ask - always grateful for assistance ::.

H

Have you got a link to this?

SMF uses an encrypted password system so a list of hashes doesn't help much
-H
Former Support Team Lead
                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

Surferbird

#2
Quote from: H on October 13, 2007, 04:46:09 PM
Have you got a link to this?

SMF uses an encrypted password system so a list of hashes doesn't help much

It is a bublic torrent on worlds largest torrent site! There is e-mail after every addresse.

Quote of list text
List kontain about 29 800 MD5 hashi, few hounreds
    SHA1 hash, 33 000 not so fun SMF forum hashes and of course
    also few houndreds paSSWORDS IN PLAIN TEXT.
.:: Always something to ask - always grateful for assistance ::.

karlbenson

#3
hmm.

(link removed)

I'm downloading it at the moment.

If any smf staff/team members want it. I'll provide a copy.
(5mins to download)

Surferbird

#4
Good that you found/have it because i dont wanna involve me in anything more with this, it is unders investigation in Finland by police or whoever.
They say in news it is biggest password expose in Finland. I was curious enought to check if my info was there but i was lucky, none of mine was there :)

News link (only in finnish) http://www.yle.fi/uutiset/kotimaa/oikea/id72257.html
.:: Always something to ask - always grateful for assistance ::.

Tony Reid

I've sent a direct link to a zip file via email to the team.

Although - I would also like to add that SMF has used SHA1 for some time and only sites running very old versions of SMF will be using MD5 - which is reasonably crackable.... as far as I know - SHA1 is still secure.
Tony Reid

Tony Reid

Quote from: Surferbird on October 13, 2007, 04:58:20 PM
Good that you found/have it because i dont wanna involve me in anything more with this, it is unders investigation in Finland by police or whoever.
They say in news it is biggest password expose in Finland. I was curious enought to check if my info was there but i was lucky, none of mine was there :)

News link (only in finnish) http://www.yle.fi/uutiset/kotimaa/oikea/id72257.html

Thank you for highlighting this.

Would you be kind enough to provide a translation - as this will help the team respond correctly to the newspaper if required.

You do not need to identify yourself ;)

Thanks again,
Tony
Tony Reid

Surferbird

Ok. Better this come to knowledge for all, there is maybe some admins that should updat their smf software ;)
.:: Always something to ask - always grateful for assistance ::.

karlbenson

A quick google search.
http://www.tiede.fi/keskustelut/viewtopic.php?t=23225

From what I've seen in the .txt file I can't see how this would be at all useful.

Surferbird

#9
Did you observe this link in the forum you linked xxxx://xxxxxxxxxxx.com/seekhash.php

I shouldn't be so sure?

BTW. I was surfing and read in one forum message that a guy tested to crack the hash, and he get passwords out of it,
so it is possible to get passwords out of hashes ::)
.:: Always something to ask - always grateful for assistance ::.

GazOutEast

Karl - how's that?

Does it contain anything that would let someone get into our sites?

Mine went mammaries upwards about 2am GMT 13 Oct and I can't get back into it at all.

I have 20:20 vision - I can see anything bigger than 20" x 20"

Surferbird

Quote from: Tony on October 13, 2007, 05:05:25 PM
Quote from: Surferbird on October 13, 2007, 04:58:20 PM
Good that you found/have it because i dont wanna involve me in anything more with this, it is unders investigation in Finland by police or whoever.
They say in news it is biggest password expose in Finland. I was curious enought to check if my info was there but i was lucky, none of mine was there :)

News link (only in finnish) http://www.yle.fi/uutiset/kotimaa/oikea/id72257.html


Thank you for highlighting this.

Would you be kind enough to provide a translation - as this will help the team respond correctly to the newspaper if required.

You do not need to identify yourself ;)

Thanks again,
Tony

I'm bad translator, but i think you could ask someone in finnish support to do it :(

.:: Always something to ask - always grateful for assistance ::.

Surferbird

Here is the Finnish Cert-Fi Warning text (again only in finnish) becuase i couldn't fin anything in English so far :(
I hope some nice finnish user translate text for others?

http://www.cert.fi/varoitukset/2007/varoitus-2007-7.html
.:: Always something to ask - always grateful for assistance ::.

niko

Most likely this is not SMF related problem, it's just that hackers have got root (or similar) access to database. List includes passwords also for other systems.

Basically message was at beginning that it includes 78k passwords (or actually almost 79k).
29 800 md5 hashes, few hundred sha1, and 33k "not so nice" SMF forum hashes and some plain text.

And how big it's for small country like Finland.
Websites: Madjoki || (2 links retracted by team, links out of date and taken over.)
Mods: SMF Arcade, Related topics, SMF Project Tools, Post History

WIP Mods: Bittorrent Tracker || SMF Wiki

Surferbird

If these hash is possible to generate to real passwords, it is a kind of smf problem too? SMF passwords are not crypted to really safe if you can generate real passwords from these hashes or whatever they are crypted with. Not directly smf error, but still danger thing for smf too in my mind.

One place they warned for using SMF software because it is by the writer an easy target to stole this kind of thing from, and this is not very good for smt software?
.:: Always something to ask - always grateful for assistance ::.

Tony Reid

Only really old versions of SMF used MD5 hashing which is crackable. Many forum systems and other web applications still use MD5.

Current versions of SMF use SHA1 and as far as I know are not directly crackable,

Tony Reid

niko

Every forum system is vulnerable to this kind of attack. It's not very quick to generate valid password for SMF's hashes since it's salted with username making rainbow tables useless and thus you would've to bruteforce password which can take many years. But you still should change passwords and use complex ones.

According to CERT-FI in some cases hashes were stolen via phpBB and database exploits (probable means servers like MySQL).

Quote from: Tony on October 14, 2007, 05:39:01 AM
Only really old versions of SMF used MD5 hashing which is crackable. Many forum systems and other web applications still use MD5.

Current versions of SMF use SHA1 and as far as I know are not directly crackable,

There are rainbow tables for sha1 but these doesn't work for SMF since SMF salts passwords.
Websites: Madjoki || (2 links retracted by team, links out of date and taken over.)
Mods: SMF Arcade, Related topics, SMF Project Tools, Post History

WIP Mods: Bittorrent Tracker || SMF Wiki

Surferbird

At the end, this shows that you should allways update your smf software to latest version ;)
.:: Always something to ask - always grateful for assistance ::.

niko

Quote from: Surferbird on October 14, 2007, 06:01:00 AM
At the end, this shows that you should allways update your smf software to latest version ;)

And others softwares too so no one can crack into and steal hashes :)
Websites: Madjoki || (2 links retracted by team, links out of date and taken over.)
Mods: SMF Arcade, Related topics, SMF Project Tools, Post History

WIP Mods: Bittorrent Tracker || SMF Wiki

H

Quote from: Tony on October 14, 2007, 05:39:01 AM
Only really old versions of SMF used MD5 hashing which is crackable. Many forum systems and other web applications still use MD5.

Current versions of SMF use SHA1 and as far as I know are not directly crackable,



I wasn't around for the SMF 1.0 series but if the MD5 uses the username as a salt (like 1.1 with sha1) then I imagine getting actual passwords from these hashes still takes quite a bit of time
-H
Former Support Team Lead
                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

Advertisement: