WARNING: 33.000 SMF password stolen and on the loose in Finland

Surferbird · October 13, 2007, 04:35:18 PM

Today news in finland tells that people should change their passwords all over.

In the actual file wich is public torrent file these guys tell that 80.000 list of
passwords and e-mail addresses cotain 33.000 SMF foorum hashes.
Is there some leak in this software or how is this possible?

I have read the list and i was not there, lucky me -

H · October 13, 2007, 04:46:09 PM

Have you got a link to this?

SMF uses an encrypted password system so a list of hashes doesn't help much

Surferbird · October 13, 2007, 04:49:54 PM

Quote from: H on October 13, 2007, 04:46:09 PM
Have you got a link to this?

SMF uses an encrypted password system so a list of hashes doesn't help much

It is a bublic torrent on worlds largest torrent site! There is e-mail after every addresse.

Quote of list text

Code Select

List kontain about 29 800 MD5 hashi, few hounreds
    SHA1 hash, 33 000 not so fun SMF forum hashes and of course
    also few houndreds paSSWORDS IN PLAIN TEXT.

karlbenson · October 13, 2007, 04:50:51 PM

hmm.

(link removed)

I'm downloading it at the moment.

If any smf staff/team members want it. I'll provide a copy.
(5mins to download)

Surferbird · October 13, 2007, 04:58:20 PM

Good that you found/have it because i dont wanna involve me in anything more with this, it is unders investigation in Finland by police or whoever.
They say in news it is biggest password expose in Finland. I was curious enought to check if my info was there but i was lucky, none of mine was there

News link (only in finnish) http://www.yle.fi/uutiset/kotimaa/oikea/id72257.html

Tony Reid · October 13, 2007, 05:03:25 PM

I've sent a direct link to a zip file via email to the team.

Although - I would also like to add that SMF has used SHA1 for some time and only sites running very old versions of SMF will be using MD5 - which is reasonably crackable.... as far as I know - SHA1 is still secure.

Tony Reid · October 13, 2007, 05:05:25 PM

Quote from: Surferbird on October 13, 2007, 04:58:20 PM
Good that you found/have it because i dont wanna involve me in anything more with this, it is unders investigation in Finland by police or whoever.
They say in news it is biggest password expose in Finland. I was curious enought to check if my info was there but i was lucky, none of mine was there

News link (only in finnish) http://www.yle.fi/uutiset/kotimaa/oikea/id72257.html

Thank you for highlighting this.

Would you be kind enough to provide a translation - as this will help the team respond correctly to the newspaper if required.

You do not need to identify yourself

Thanks again,
Tony

Surferbird · October 13, 2007, 05:06:51 PM

Ok. Better this come to knowledge for all, there is maybe some admins that should updat their smf software

karlbenson · October 13, 2007, 05:09:51 PM

A quick google search.
http://www.tiede.fi/keskustelut/viewtopic.php?t=23225

From what I've seen in the .txt file I can't see how this would be at all useful.

Surferbird · October 13, 2007, 05:16:52 PM

Did you observe this link in the forum you linked xxxx://xxxxxxxxxxx.com/seekhash.php

I shouldn't be so sure?

BTW. I was surfing and read in one forum message that a guy tested to crack the hash, and he get passwords out of it,
so it is possible to get passwords out of hashes

GazOutEast · October 13, 2007, 05:17:43 PM

Karl - how's that?

Does it contain anything that would let someone get into our sites?

Mine went mammaries upwards about 2am GMT 13 Oct and I can't get back into it at all.

Surferbird · October 13, 2007, 05:18:16 PM

Quote from: Tony on October 13, 2007, 05:05:25 PM
Quote from: Surferbird on October 13, 2007, 04:58:20 PM
Good that you found/have it because i dont wanna involve me in anything more with this, it is unders investigation in Finland by police or whoever.
They say in news it is biggest password expose in Finland. I was curious enought to check if my info was there but i was lucky, none of mine was there

News link (only in finnish) http://www.yle.fi/uutiset/kotimaa/oikea/id72257.html

Thank you for highlighting this.

Would you be kind enough to provide a translation - as this will help the team respond correctly to the newspaper if required.

You do not need to identify yourself

Thanks again,
Tony

I'm bad translator, but i think you could ask someone in finnish support to do it

Surferbird · October 13, 2007, 05:40:43 PM

Here is the Finnish Cert-Fi Warning text (again only in finnish) becuase i couldn't fin anything in English so far

I hope some nice finnish user translate text for others?

http://www.cert.fi/varoitukset/2007/varoitus-2007-7.html

niko · October 13, 2007, 06:17:05 PM

Most likely this is not SMF related problem, it's just that hackers have got root (or similar) access to database. List includes passwords also for other systems.

Basically message was at beginning that it includes 78k passwords (or actually almost 79k).
29 800 md5 hashes, few hundred sha1, and 33k "not so nice" SMF forum hashes and some plain text.

And how big it's for small country like Finland.

Surferbird · October 14, 2007, 04:57:12 AM

If these hash is possible to generate to real passwords, it is a kind of smf problem too? SMF passwords are not crypted to really safe if you can generate real passwords from these hashes or whatever they are crypted with. Not directly smf error, but still danger thing for smf too in my mind.

One place they warned for using SMF software because it is by the writer an easy target to stole this kind of thing from, and this is not very good for smt software?

Tony Reid · October 14, 2007, 05:39:01 AM

Only really old versions of SMF used MD5 hashing which is crackable. Many forum systems and other web applications still use MD5.

Current versions of SMF use SHA1 and as far as I know are not directly crackable,

niko · October 14, 2007, 05:51:56 AM

Every forum system is vulnerable to this kind of attack. It's not very quick to generate valid password for SMF's hashes since it's salted with username making rainbow tables useless and thus you would've to bruteforce password which can take many years. But you still should change passwords and use complex ones.

According to CERT-FI in some cases hashes were stolen via phpBB and database exploits (probable means servers like MySQL).

Quote from: Tony on October 14, 2007, 05:39:01 AM
Only really old versions of SMF used MD5 hashing which is crackable. Many forum systems and other web applications still use MD5.

Current versions of SMF use SHA1 and as far as I know are not directly crackable,

There are rainbow tables for sha1 but these doesn't work for SMF since SMF salts passwords.

Surferbird · October 14, 2007, 06:01:00 AM

At the end, this shows that you should allways update your smf software to latest version

niko · October 14, 2007, 06:05:06 AM

Quote from: Surferbird on October 14, 2007, 06:01:00 AM
At the end, this shows that you should allways update your smf software to latest version

And others softwares too so no one can crack into and steal hashes

H · October 14, 2007, 07:37:10 AM

Quote from: Tony on October 14, 2007, 05:39:01 AM
Only really old versions of SMF used MD5 hashing which is crackable. Many forum systems and other web applications still use MD5.

Current versions of SMF use SHA1 and as far as I know are not directly crackable,

I wasn't around for the SMF 1.0 series but if the MD5 uses the username as a salt (like 1.1 with sha1) then I imagine getting actual passwords from these hashes still takes quite a bit of time

News:

WARNING: 33.000 SMF password stolen and on the loose in Finland