News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

IMPORTANT: Community security breach

Started by LiroyvH, July 23, 2013, 12:45:08 PM

Previous topic - Next topic

kat

I changed my password to "invalid".

Now, if I forget what it was and type in the wrong one, it tells me what my password is...

"Password invalid"

;)

TS4Life

Who is it possible to hack the database????? i think that the security here is missing. And i happy i am using a different script for my sites.  Sorry SMF this is not okay. 

Kindred

TS4Life,

Did you even actually read the report?
Especially the section which clearly stated that this was NOT a hack due to any vulnerability in the software?

Changing your script will not increase nor decrease your site's security in this case. Especially since several other (major) sites were also compromised using the same method and using OTHER forum (and non-forum) softwares. As We pointed out, this was due to a lax password protocol on the part of one of the admins, who has been chastised... but, as Arantor also points out,  "It is often significantly easier to leverage a weakness in a person rather than in the technology under them, as was done here,"
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

earthasa

Brilliant @ K@ !
I've followed suit.

New password, I'm secure.

"invalid". Instant password reminder, reason to resist password change eliminated.  ;)


I'm confused about the use of salt and encryption in your database.  Since my account had been inactive for some time, I take it that my password was probably stored as an MD5 hash? If so, did those old password hashes hash more than the password text itself? -- Newer accounts I read conflicting information -- that what's hashed was the SHA1 of username+password -- and I also read that there was a 4 digit hex (16-bit / 64k-value) salt included in the hash.  It would be nice to get clarity on exactly what different hashes are in use in the database, and how each was computed, so as to estimate what accounts users who have a common username, email, or password elsewhere are at greatest risk of having the accounts correlated with each other / direct hash-collisions. 

When an account is deleted on SMF, is the user record completely purged?  What else is deleted or not deleted? PMs, posts, etc.  Sadly for security, I know many sites have a policy of not deleting accounts, only deactivating  them.

It sounds like the security question/answer did not hash the security answers? (reading between the lines).  That might be a good idea.  With lots of salt.


TS4Life, SMF may be able to make some implementation changes that MIGHT make it harder for a hacker who manages to get ahold of an adminstrator's password to access user data, but note that it will never be guaranteed secure aagainst such attacks.  There will always be SOME way to access the user data, and unfortunatley - as web technology works --  the script itself always has access, making scripts notoriously vulnerable to security holes.  A security hole in the underlying script engine or server software, too, might allow an attacker to execute custom code and therefore gain access.  There have been major security breaches at SSL certificate vendors, credit card companies, and dozens of major corporations with millions of dollar budgets.  Security requires ongoing vigilance and as everyone has been saying for decades -- before the web existed -- use a different password everywhere is, for better and for worse, a necessary precaution to limit the damage when your password somewhere is compromised (and it most likely will be or has been before).  Ideally you use complex passwords for all accounts, but certainly for banks and your email account (someone who can get into your email can usually reset your password on your other accounts).

iaccountant

Thank you for the swift notice and well crafted, clear message SMF folks.

Best wishes for a smooth resolution.

Safeway

I've already received three Apple password reset emails in the inbox associated with my SMF account. SMH.

medalta

Sorry but "stuff doesn't just happen". This was a failure on the part of the admins here. By not following a basic tenant of board management you have conceivably compromised everyone that has supported and used this system. When you give someone admin rights you take the time to insure they follow proper protocol, if they are that dense they don't understand the consequences of their laziness they shouldn't be granted anything but basic rights.

I really don't appreciate you telling me of the need to, and reasons for, changing my passwords. I figured that out by the time I had read the subject line of your email.

Getting hacked is a part of doing business we all have to deal with, but getting hacked because of someone laziness and stupidity is unacceptable.

I am done with SMF (S****d M****r F*****'s)

I am deleting my account once this is posted. Have the decency to ensure all my related data is removed from your system.   

vivithemage

All too common now a days ... thanks for the heads up.

kat

Quote from: Medalta on July 25, 2013, 10:47:23 AMThis was a failure on the part of the admins here.

Of course it was. Such has been admitted.

Now, tell me that you've never made a mistake and I'll call you a damned liar. ;)


GravuTrad

Quote from: Medalta on July 25, 2013, 10:47:23 AM
Sorry but "stuff doesn't just happen". This was a failure on the part of the admins here. By not following a basic tenant of board management you have conceivably compromised everyone that has supported and used this system. When you give someone admin rights you take the time to insure they follow proper protocol, if they are that dense they don't understand the consequences of their laziness they shouldn't be granted anything but basic rights.

I really don't appreciate you telling me of the need to, and reasons for, changing my passwords. I figured that out by the time I had read the subject line of your email.

Getting hacked is a part of doing business we all have to deal with, but getting hacked because of someone laziness and stupidity is unacceptable.

I am done with SMF (S****d M****r F*****'s)

I am deleting my account once this is posted. Have the decency to ensure all my related data is removed from your system.   


Goodbye man. 8)
On a toujours besoin d'un plus petit que soi! (Petit!Petit!)


Think about Search function before posting.
Pensez à la fonction Recherche avant de poster.

playnetrek

Is SMF certain there isn't a vulnerability that needs to be addressed? That this was only an administrative mistake?

Received a notice Tuesday from hxxp:ubuntuforums.com [nonactive] that they had also been hacked. Believe they were running SMF and are currently still down.

青山 素子

Quote from: earthasa on July 25, 2013, 07:57:15 AM
Since my account had been inactive for some time, I take it that my password was probably stored as an MD5 hash?

Only if you havent logged in since this forum was running a 1.x build. If you got a "password security upgraded" message on your recent login, that is a sign that your account was still using the old 1.x MD5 hashing.


Quote from: earthasa on July 25, 2013, 07:57:15 AM
If so, did those old password hashes hash more than the password text itself?

I'm not sure, I'd need to check the code (I'm not intimately familiar with that part of SMF). However, MD5 is quite weak to collision attacks, so those are more at risk, even salted.

Quote from: earthasa on July 25, 2013, 07:57:15 AM
It would be nice to get clarity on exactly what different hashes are in use in the database, and how each was computed, so as to estimate what accounts users who have a common username, email, or password elsewhere are at greatest risk of having the accounts correlated with each other / direct hash-collisions. 

It doesn't matter so much. SMF currently uses a salted SHA1 hash. This means that plain rainbow tables can't be used, they'd have to be generated for each username, as was pointed out earlier.

Also, it's not so much an issue of if but ratherwhen the values are recovered. For short or easy passwords, it'll be much sooner than more secure ones. However, with dedication and time, collisions can be found for every hash.

Quote from: earthasa on July 25, 2013, 07:57:15 AM
When an account is deleted on SMF, is the user record completely purged?  What else is deleted or not deleted? PMs, posts, etc.  Sadly for security, I know many sites have a policy of not deleting accounts, only deactivating  them.

The account information is removed, along with PMs. Posts by the user are retained, but dissociated with the old user account. They show up as guest posts with a display name set as the old user's login.


Quote from: Medalta on July 25, 2013, 10:47:23 AM
Sorry but "stuff doesn't just happen". This was a failure on the part of the admins here.

Yes, yes it was. You're pointing out the obvious.


Quote from: Medalta on July 25, 2013, 10:47:23 AM
By not following a basic tenant of board management you have conceivably compromised everyone that has supported and used this system.

Please make sure to let the people running the Apple Developer website, NASDAQ forums, Ubuntu forums, Club Nintendo, Morningstar Document Research, and Ubisoft's account system know the same too.


Quote from: Medalta on July 25, 2013, 10:47:23 AM
When you give someone admin rights you take the time to insure they follow proper protocol, if they are that dense they don't understand the consequences of their laziness they shouldn't be granted anything but basic rights.

I guess you are perfect and use 20+ character randomly-generated passwords for everything, right? ****** happens and people f*** up at times. It doesn't mean they are dense or lazy. It means they are human.


Quote from: Medalta on July 25, 2013, 10:47:23 AM
Getting hacked is a part of doing business we all have to deal with, but getting hacked because of someone laziness and stupidity is unacceptable.

Please make sure to let practically every company that has ever had a security breach know that. Most security breaches come down to human fallibility. I sometimes do security reviews for medium to large companies (the kind that exist to make a profit and sell products) and the amount of WTF moments I've had is considerable. Honestly, I've done some stupid stuff as well on my personal server and the servers at my company. Once I find out how stupid it is, I fix it. Sadly, someone did something rather boneheaded on this forum and caused a lot of work. Luckily, it's being corrected.


Quote from: Medalta on July 25, 2013, 10:47:23 AM
I am done with SMF (S****d M****r F*****'s)

Lowering yourself to crass attacks? Really? I think this forum software can survive without your attitude. Remember your positions next time someone points out a stupid mistake you made and please do make sure to appropriately discipline yourself in the way you seem to wish here.


Quote from: playnetrek on July 25, 2013, 11:29:08 AM
Is SMF certain there isn't a vulnerability that needs to be addressed? That this was only an administrative mistake?

Yes. It was tracked down to an unauthorized login in an administrative account. The holder of the account admitted to using the same password on other sites, at least one of which was compromised prior, iirc.


Quote from: playnetrek on July 25, 2013, 11:29:08 AM
Received a notice Tuesday from ubuntuforums.com that they had also been hacked. Believe they were running SMF and are currently still down.

They were running vBulletin.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


playnetrek

Quote from: 青山 素子 on July 25, 2013, 11:31:41 AM
Quote from: playnetrek on July 25, 2013, 11:29:08 AM
Is SMF certain there isn't a vulnerability that needs to be addressed? That this was only an administrative mistake?

Yes. It was tracked down to an unauthorized login in an administrative account. The holder of the account admitted to using the same password on other sites, at least one of which was compromised prior, iirc.


Quote from: playnetrek on July 25, 2013, 11:29:08 AM
Received a notice Tuesday from hxxp:ubuntuforums.com [nonactive] that they had also been hacked. Believe they were running SMF and are currently still down.

They were running vBulletin.


Thank you for clarifying this.

ARG01

Quote from: Medalta on July 25, 2013, 10:47:23 AM
I am done with SMF (S****d M****r F*****'s)

I am deleting my account once this is posted. Have the decency to ensure all my related data is removed from your system.


Again-

QuoteOther than Craigs List I have never encountered so many whining babies.

Later tater. Don't let the door hit you on the way out.
No, I will not offer free downloads to Premium DzinerStuido themes. Please stop asking.

FrizzleFried

Quote from: Medalta on July 25, 2013, 10:47:23 AM
Sorry but "stuff doesn't just happen". This was a failure on the part of the admins here. By not following a basic tenant of board management you have conceivably compromised everyone that has supported and used this system. When you give someone admin rights you take the time to insure they follow proper protocol, if they are that dense they don't understand the consequences of their laziness they shouldn't be granted anything but basic rights.

I really don't appreciate you telling me of the need to, and reasons for, changing my passwords. I figured that out by the time I had read the subject line of your email.

Getting hacked is a part of doing business we all have to deal with, but getting hacked because of someone laziness and stupidity is unacceptable.

I am done with SMF (S****d M****r F*****'s)

I am deleting my account once this is posted. Have the decency to ensure all my related data is removed from your system.

And some thought I was a drama queen drama-monger? [corrected ... thanks Kindred!] ;)

:)

NOTE: your account is still active BTW.

Kindred

just for the record, I never called you a drama-queen (someone who rules drama and by drama), just a drama-monger (someone who sells or trades in drama) :P

But yeah.... you don't even hold a candle to some of these repsonses..... :)
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

ARG01

Who's up for some pizza  and brew?
No, I will not offer free downloads to Premium DzinerStuido themes. Please stop asking.

Safeway

Anyone else getting random password reset emails? Thankfully the password I used here isn't one that I use anywhere else, and I've checked my email login history to verify that my email account hasn't been breached. It still gives me the creeps to know that someone is actively attempting to take over our accounts.

Any idea where the unauthorized accessor is located? US, Russia, Turkey, etc.?

Kindred

Random password reset emails fomr simplemachines.org?

It is unlikely that any continuing attack is going on here at simplemachines.org. The hacker only wanted one thing - the memberlist form the database. To do that, he needed an admin account.
So, normal members (while you should change your password, as a standard security protocol response) really should have nothing to worry about here on SMF itself. The main concern was if you may have used the same credentials on other sites.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Safeway

Quote from: Kindred on July 25, 2013, 12:40:49 PM
Random password reset emails from simplemachines.org?

No, from Apple at the email associated with my SMF account. Three so far.

Advertisement: