News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

IMPORTANT: Community security breach

Started by LiroyvH, July 23, 2013, 12:45:08 PM

Previous topic - Next topic

LiroyvH

In a way yes.
Assuming that the other site that was hacked had their passwords encrypted, the hacker would first have to decrypt that password ("crack") in order to use it to login here.

It's not like the server or site was hacked/cracked in the pure essence of the word, but the database of the other site allowed to crack the administrator's password and thusly obtain access here. Yet, now that it is our database that will be in the hands of whoever did it, it means that the passwords in our database are prone to such "cracking" as well now.

Bit confusing to explain, I know. :P
Hope this cleared it up though.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

BigBen

This might benefit most, not saying this will EVER keep you from being hacked, but I use different user names on various places, if it's a little bit the same, I would add characters or numbers to keep the hacker guessing.
It's just something I've always done... Just my 2 cents.

Herman's Mixen

time to implent sha1,sha2 and sha3 combined :P
Met vriendelijke groet, The Burglar!

 House Mixes | Mixcloud | Any Intelligent fool can make things bigger, more complex, and more violent.
It takes a touch of genius - and a lot of courage - to move in the opposite direction. - Albert Einstein

Former Godfather of our dutch community ;)

medicMe

I just wanted to say:

I think CoreISP and the admins have done a great job.

The people giving him/them crud for the breach and how it was handled probably don't have a basis of understanding that qualifies them to make such comments in the first place. It's annoying to read.

So thanks CoreISP and gang! And I hope the rest of the fallout goes well. :)

Cheers

Herman's Mixen

We are Secure :D

yes the team did a great job working on this one :P
Met vriendelijke groet, The Burglar!

 House Mixes | Mixcloud | Any Intelligent fool can make things bigger, more complex, and more violent.
It takes a touch of genius - and a lot of courage - to move in the opposite direction. - Albert Einstein

Former Godfather of our dutch community ;)

TheListener

Quote from: ChalkCat on July 27, 2013, 05:46:12 PM
.... and occasionally demand cups of tea  :P

Which you take hours to make.

:D

LiroyvH

((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

French

You all have surely done a great job,and kept the members well informed that deserves respect.

Just curious
How did you discovered that the database was hacked, were there any signs or indications that something was going on.

LiroyvH

No comment at this time.

If you suspect you might be affected, do a scan on your homedir for recently changed files and check your admin profiles for weird IP's.
"find -mtime" is a example of a nice tool to use for finding modified files.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

French

Quote from: CoreISPNo comment at this time.
Clear supposed the investigation is still ongoing................. thanks anyway for your explanation  ;)

brynn

#430
Quote from: Kindred on July 27, 2013, 07:18:13 PM
brynn,

because he was not aware that the other site had been compromised. The reason that we put this out as fast as we did after confirming the issue was to avoid just that scenario...  the hacker's goal was to acquire the information as quietly as possible, thus avoiding anyone knowing and resetting their passwords on other sites.

Ooohh, I see.  Thanks for explaining that  ;)

edit - removed some unimportant ramblings  :laugh:




Quote from: evgueni on July 27, 2013, 08:16:31 PM
I fail to find how to change my community password here...
Is anybody else has troubles changing it?

1 - From the navigation bar, click on Profile > Account Settings.
2 - Type in your new password twice, in the space provided.  (Or copy/paste, for better accuracy.)
3 - If you set up a secret question for yourself (previously) you'll see that next, and you'll need to answer it.  (If you've never set one up, just skip that part.)  (Or maybe you'd like to take this opportunity to set one?)
4 - Then at the bottom, type your old password.  (Or copy/paste, for better accuracy.)
5 - If you normally use the forum in a non-Albanian language, be sure and set Preferred Language (near the top) to your language, before you click Change Profile.  Otherwise, parts of the site will show up in Albanian language.  (Guess how I learned that?!  ;D)
6 - Click Change Profile.

When the page changes, you should see little text that says your profile was changed successfully.

dsl25

If this is still of any interest: I got the email today, about 10 hours ago.
I don't know my ID but this is probably a high figure as I joined about 1 month ago.

Sorry for what happened, we always learn from mistakes but, anyhow, hackers are always one step ahead - whatever we do.

Nobody is 100% secure on the internet and I find all those posts trying to blame someone really pathetic. If you want to blame somebody just blame yourself using the internet. Typing machines and faxes are still on sale in specialized stores. After purchase just use the "rollback 1 century" feature on your keyboard.

French

Quote from: dsl25Nobody is 100% secure on the internet and I find all those posts trying to blame someone really pathetic.
You are right about that,that makes no sense at all
But a little criticism is allowed here or not  ;) One off the most common database-related vulnerabilities is a poor password policy,like i said before passwords must be changed on a regularly base.Not everyone seems to agree but in my opinion certainly when you're in the group administrators and team members it's a must,this group is for a hacker more interesting than a regular user i think ?

incomviet


Antes


Joker™

Hi everyone,

First of all thanks for the info Core.

I still remember back in 2009, I was a moderator of pretty large sized website. When it got hacked the admin informed us secretly that the DB is hacked and we should change our passwords, moreover he/she told us not to transfer the news to other members.

Well looking at that incident and the current incident (what happened with SMF), its really a great gesture shown by SMF team by informing all of us and getting into discussion with its members. As a member this sort of transparency from the administrating team is really appreciable. Just my thoughts.

- Joker (without TM this time :P).
Github Profile
Android apps
Medium

How to enable Post Moderation

"For the wise man looks into space and he knows there is no limited dimensions." - Laozi

All support seeking PM's get microwaved

Dav999

I received the mail yesterday, thanks for the info. For the SMF team, it's a pity that this has happened because they will lose trust of people who keep thinking it's a security problem in SMF even though it has been clearly stated that it isn't.

Chalky

Yes, unfortunately some people will always choose to believe their own thing no matter what information is presented to them.  All anybody honest can do is exactly what the SMF team have done: provide factual, transparent and timely information.  How people to choose to receive that information is beyond our control  :(

青山 素子

Quote from: French on July 28, 2013, 06:39:56 AM
like i said before passwords must be changed on a regularly base.Not everyone seems to agree

Many prominent security minds disagree with your opinion:

Bruce Schneier says:
Quote
So in general: you don't need to regularly change the password to your computer or online financial accounts (including the accounts at retail sites); definitely not for low-security accounts. You should change your corporate login password occasionally, and you need to take a good hard look at your friends, relatives, and paparazzi before deciding how often to change your Facebook password. But if you break up with someone you've shared a computer with, change them all.


Gene Spafford says:
Quote
The result is a stale policy that may no longer be effective...or possibly even dangerous.

Policies requiring regular password changes (e.g., monthly) are an example of exactly this form of infosec folk wisdom.

...

This is DESPITE the fact that any reasonable analysis shows that a monthly password change has little or no end impact on improving security!    It is a "best practice" based on experience 30 years ago with non-networked mainframes in a DoD environment—hardly a match for today's systems, especially in academia!


Steve Bellovin, in the magazine IEEE Security and Privacy writes (PDF) (Google Docs Viewer):
Quote
Users have to remember too many passwords these days; if they're forced to change them too often, evasive behavior results. Password patterns—secret1, secret2, Secret1, Secret2, and so on—can't be detected unless cleartext of old passwords is stored (on yellow stickies or in plaintext files on insecure machines, for example).


Anne Adams and M. Angela Sasse in the magazine Communications of the ACM write (PDF) (Google Docs Viewer):
Quote
Many users have to remember multiple passwords, that is, use different passwords for different applications and/or change passwords frequently due to password expiration mechanisms. Having a large number of passwords reduces their memorability and increases insecure work practices, such as writing passwords down—50% of questionnaire respondents wrote their passwords down in one form or another. One employee emphasized this relationship when he said "...because I was forced into changing it every month I had to write it down."


I think I'll trust the wisdom of the folks who have done computer security research for decades over some random person on this board.

Do feel free to cite resources to back up your opinion.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


giappaig

If you encode password in md5, sha-1, Do hacker can decode it ?

Advertisement: