IMPORTANT: Community security breach

[tomreyn]

On the 22nd of July 2013, it was discovered that unauthorized access to our website and database has been obtained on the 20th of July.

That's a bit of a late notice (I do understand you had to contain the compromise, roughly analyze the attack, determine and fix the vulnerability before announcing it), but surely I appreciate it very much.

The method is similar to the hacks that were recently conducted at other websites, even though those sites used other software.

Unfortunately for us, a Administrator used the same password elsewhere on another site and access to our site was obtained when the password from the other hacked site was successfully decrypted. As a result, the hacker was able to login here with admin rights.

Hopefully this administrator is now an ex administrator. Or else it's just the remaining admins (having to deal with the compromise) and us forum users (who will likely receive more spam as a result) who will suffer from his or her bad password hygiene.

This is !!NOT!! a security issue with the SMF software. If you are running the latest SMF version you have nothing to fear from this hack if you use different passwords.

Yes, the passwords are stored with encryption.
Unfortunately, even encrypted passwords can be decrypted. Hence, the passwords used here should not be considered safe anymore.

This would not be a problem (for other sies) if SMF were to use a stronger hash function (the current one is considered outdated) and used multiple rounds of hashing. I think this would really make a good improvement and should be worth focusing development on for a bit. Anyone who is able to contribute to this, please do read up on the state of the art of password hashing and try to come up with an implementation for SMF.

Thank you for your consideration and we deeply apologize for any inconvenience this causes for you.

Now this brings up the question of how to prevent such issues in the future.

The obvious answer is that users, but even more so admins, must use proper password hygiene. Password generators which create highly random passwords are not a recent invention, password reuse is and has been a no-go area for a good while.

But there's more to it.
It's also easy to grab the password from an admin who is logged in to an Internet café since this forum doesn't use any transport encryption. SSL is really mandatory for all sites which provide a login nowadays.
We need better password hashing, as discussed above.
Also rate limiting on authentication requests is a really good idea. Logins could be combined with captchas for added security. You could then also require a password reset (by e-mail) if a login failed three times in a row (without a CAPTCHA this opens you up to a DoS condition where anyone can lock out another user where he knows the username).

And when a compromise took place, it should be really simple for the admins to initiate and enforce a site-wide password reset on all existing users, by invalidating all passwords and making users go through an e-mail based password reset. That's what we're doing for forum.megaglest.org currently, but it seems to be not exactly a straight-forward process with SMF 2.0.4, and a couple more questions came up along the way.

[NanoSector]

SMF has a built-in login limiter, or how you'd want to call it. After my password changes I came across it quite a few times

[LiroyvH]

That's a bit of a late notice (I do understand you had to contain the compromise, roughly analyze the attack, determine and fix the vulnerability before announcing it), but surely I appreciate it very much.

Late?
It was announced within 16 hours after the compromise was found, which is extraordinary fast.
Looking at comparable hacks, some companies take multiple days, even weeks or months befor they inform their users *if* they inform their users to begin with.

If there's anything we did well in my opinion, it was the speed wherein the announcement was made.

Hopefully this administrator is now an ex administrator. Or else it's just the remaining admins (having to deal with the compromise) and us forum users (who will likely receive more spam as a result) who will suffer from his or her bad password hygiene.

Nope.

This would not be a problem (for other sies) if SMF were to use a stronger hash function (the current one is considered outdated) and used multiple rounds of hashing. I think this would really make a good improvement and should be worth focusing development on for a bit. Anyone who is able to contribute to this, please do read up on the state of the art of password hashing and try to come up with an implementation for SMF.

Debatable. The problem is that if the method of how the hashing is done is known (which isn't too hard to find out with opensource software), you can still start generating insane amount of hashes to compare with. If anything, you delay the inevitable.
Of course, the stronger the password indeed the more impossible it becomes with such methods of hashing and you can greatly minimize certain risks... With a catch:
The problem is that most people *don't* use strong passwords. No matter how you hash, if the method is known, simple passwords are still quite easy to crack. That's the biggest issue with the end users in my opinion.

But yes, anything can be made more secure.
The problem is that even if you do, all you do is make it take extra time to decrypt; but there's no single guarantee that it will be impossible to decrypt it. Now the current method is "outdated", now you make a new one and in two years hardware has advanced so much that the new method is considered obsolete because the hardware can brute so fast it doesn't matter anymore.

It was an interesting article to read for sure, though. Thank you for sharing

It's also easy to grab the password from an admin who is logged in to an Internet café since this forum doesn't use any transport encryption. SSL is really mandatory for all sites which provide a login nowadays.

Yes, that's childplay. Either by session stealing or sniffing.
SSL encryption is actually being worked on enabling here.
Not that it's relevant to the hack at hand.

And no, it's not easy to force passwords resets.

Myself, I'm very much in favor of two-factor authentication. Surprised you didn't mention it as possibility. Much more secure than anything else.
Unfortunately it may lead to inconveniences, though for high-profile account (such as admins), it should be considered a necesarry evil good.

[byproduct]

will someone explain to me
WHY
for 3 days ya'll been posting about this
and only just minutes ago
i get a email warning to change my passwords?

.
.
.
.
.

[Chalky]

Because you are user number 276199.  The server is working all out sending the announcement email but it still takes time to send nearly 300,000 emails.  Hopefully I will get mine sometime tomorrow then, since I'm user number 325731 

[CountryLady]

Emails can get lost or shuffled to the wrong address, or routers along the way have issues and transmittal is delayed, or... or... or...

"The Internet" is quite a fragile web, with a wide assortment of dangers that can cause errors, redirects, dropped packets, etc....

There is much opportunity to learn in this current breach, and in this thread as well.

Anyone who is not subscribed to this BOARD via "Notify" system, as well as via the profile setting to allow "SMF Important Announcements" by email is reducing their of getting a timely HEADS-UP. Oh, and if the email address used here at SMF is not a member's primary email, it may take a while for them to check the email address they used for SMF, unless there is a redirect in place to route it to the primary email client.

The time from intrusion to notification in this case was phenomenal.
                     Job well done SMF Team~!

[byproduct]

no wonder the hackers and spammers stay ahead

[kat]

Of course they do.

They do with Windows, virii/viruses, with everything.

Until someone works-out that there's an opening and exploits it, most people won't even know it exists.

It's not just on the net, either. Nothing, in real life, is 100% secure, either.

But, particularly on the net, as I said, earlier, anyone who believes anything is 100% secure is 100% deluded.

[Ambrosia]

Become active and then maybe your opinions would have some merit.

And all the ppl that use SMF for years just cus they arent so active in the foruns can go f*** themselfs. Yeah, right.

I am not saying that. Where exactly did I say that? It's just funny that non-active members come here to complain only when an issue arises. They act as if they know the facts by reading the first post of a topic and don't bother to read through the entire thread. If they did then they would more than likely have a different opinion. Pure laziness shows ignorance.
My point is, if you don't know the facts then stop acting like a little schoolgirl that just had her hair pulled on the playground.

[Bolding mine.]
ARG, although I understand your frustration after reading every last post in this thread, a frustration I share, I do have a request. As a woman I find the put down of another and their immature behavior equated to how a girl or woman would act if injured to be quite offensive. I imagine a little schoolboy who had just had his hair pulled would be upset also. Sexism doesn't become you. You are right, however. The whiners need to grow up and get a life.


I got the notification this morning in my spam box. Why their system thought it was spam, I cannot say. I marked it as not spam and read it, then came here and checked out the thread. Although I did read over half the thread this morning, I had things to do and could not come deal with this issue until now. I don't know what password I used here previously, so now it has been changed. 

I want to thank the powers that be for all their hard work in dealing with this frustrating situation. I know you all have put in a tremendous of amount of work and effort to deal with this breach and I greatly appreciate it. The fact that the notifications started going out only 16 hours after the breach was found is pretty amazing. That is quick work! Thank you for being so quick to let your users know there was a problem. You all rock.

[kat]

Thanks, Ambrosia.

I read that as "Girls tend to have louder, more piercing screams than men do", which they do, generally.

But, of course, I may be biased, being a mere male. (Despite what my gender icon says-Long story)

Point taken, though.

[Chalky]

That's how I read it too K@ (and my gender icon is correct  )  Also at my school the boys would have been more likely to react to such a taunt with a punch in the face than a screaming fit.

Come to think of it, so would the girls...   

[ARG01]

ARG, although I understand your frustration after reading every last post in this thread, a frustration I share, I do have a request. As a woman I find the put down of another and their immature behavior equated to how a girl or woman would act if injured to be quite offensive. I imagine a little schoolboy who had just had his hair pulled would be upset also. Sexism doesn't become you. You are right, however. The whiners need to grow up and get a life.

OMG! It's a simple, very well know and often used figure of speech. Get over it. That said, I will part ways with this thread as attempting to argue my point with forum trolls is nearing the point of exhaustion.

Ya'll have a nice day.


Gee, hope that I didn't offend anyone with that statement. 

[kat]

That's how I read it too K@ (and my gender icon is correct  )  Also at my school the boys would have been more likely to react to such a taunt with a punch in the face than a screaming fit.

Come to think of it, so would the girls...   

Ah, but I went to a good ol' Grammer/Technical school.

We were all gentlemen (Even the ladies!)




...and if you believe that....

[LiroyvH]

Ambrosia,

Please keep in mind that if you're unsure which password you used and you might suspect you used the same password elsewhere: you should change the password at the other sites were you used it.
That will prevent any possibility for your site to get compromised.

Thanks

[Gary]

Heck, if you're not sure if the same password is used on SM.org and other sites, a good tip I can give is: Change them all anyway!

[tomreyn]

Late?
It was announced within 16 hours after the compromise was found, which is extraordinary fast.
Looking at comparable hacks, some companies take multiple days, even weeks or months before they inform their users *if* they inform their users to begin with.

If there's anything we did well in my opinion, it was the speed wherein the announcement was made.

I counted the time between initial discovery (as stated in the forum post) to when the first user on this forum I know received the e-mail announcement. Which is 4 days (July 22nd to July 26).

16 hours would be really good indeed. How did you measure it?

Hopefully this administrator is now an ex administrator. Or else it's just the remaining admins (having to deal with the compromise) and us forum users (who will likely receive more spam as a result) who will suffer from his or her bad password hygiene.

Nope.

Hmm, well I'm sure you have your reasons, and it's surely the admin teams' decision, not that of anyone else.
On the other hand I am now more concerned than before, which always happens when decisions are taken which at first hand seem bad, and no explanation is given to back them up (I haven't read the entire thread, though, so I may have missed it).

This would not be a problem (for other sites) if SMF were to use a stronger hash function (the current one is considered outdated) and used multiple rounds of hashing. I think this would really make a good improvement and should be worth focusing development on for a bit. Anyone who is able to contribute to this, please do read up on the state of the art of password hashing and try to come up with an implementation for SMF.

Debatable. The problem is that if the method of how the hashing is done is known (which isn't too hard to find out with opensource software), you can still start generating insane amount of hashes to compare with. If anything, you delay the inevitable.

Yes, and that's exactly what encryption and hashing are all about. Delaying the inevitable so much that it won't bite you for the next couple of years, or better, decades. You can attack every hash mechanism, every encryption, but if it would take more resources than are practically available within a short enough time frame, these attacks become irrelevant (for the time being), and an attacker will move on (to lower hanging fruit on the same or a different application / server).

The fact that the hashing mechanism is known is not much of a problem. History has shown that closed-source hashing mechanisms are often cumbersome and this is actually why NIST has chosen to switch to a fully open design and implementation contest for hashing mechanisms - the SHA series of hash functions are the very result of it, and while SHA-1 has a couple open wounds now and the SHA-2 family members have their first scratches (some deeper, some, less), SHA-3 has been the largest contest so far, bringing a lot of good candidates to light (which may also be used as alternatives to SHA-3). So please do not go this route, the very, very most homebrown crypto and hashing mechanisms just fail miserably during the design phase, but their developers do not realize it.

Of course, the stronger the password indeed the more impossible it becomes with such methods of hashing and you can greatly minimize certain risks... With a catch:
The problem is that most people *don't* use strong passwords. No matter how you hash, if the method is known, simple passwords are still quite easy to crack. That's the biggest issue with the end users in my opinion.

It's true, most people continue to choose weak passwords. There are some counter measures to it, some of which are implemented in SMF, such as password policies (though there is room for improvement there, too - we have actually worked to improve this feature for our SMF install lately, and I hope we'll be contributing the resulting code back to SMF soon). But ultimately it's a problem which seems impossible to fix, and it's a matter of much debate. Nevertheless, just because many will happily decide to set weak passwords, or to reuse passwords, this doesn't mean that you should not make it possible to have better security for those users who do care. And much can be done about hashing in SMF even if you continue to provide PHP backwards compatibility (a noble approach), such as making the hash function selectable, or choosing it at installation / upgrade time (which would involve a sitewide password reset) based on what's available then.

But yes, anything can be made more secure.
The problem is that even if you do, all you do is make it take extra time to decrypt; but there's no single guarantee that it will be impossible to decrypt it. Now the current method is "outdated", now you make a new one and in two years hardware has advanced so much that the new method is considered obsolete because the hardware can brute so fast it doesn't matter anymore.

It was an interesting article to read for sure, though. Thank you for sharing

Happily, and thanks for reading it. About the outdating hash functions, again making them selectable can be an option there (but you will point out that a password hashing mechanism can consist of more than a hash function and this may need to change over time, too, and I would agree).

It's also easy to grab the password from an admin who is logged in to an Internet café since this forum doesn't use any transport encryption. SSL is really mandatory for all sites which provide a login nowadays.

Yes, that's childplay. Either by session stealing or sniffing.
SSL encryption is actually being worked on enabling here.
Not that it's relevant to the hack at hand.

I'm glad to hear SSL is being worked on, I think this would be a major improvement for this installation (and thanks for confirming the password was not stolen this way).

And no, it's not easy to force passwords resets.

Myself, I'm very much in favor of two-factor authentication. Surprised you didn't mention it as possibility. Much more secure than anything else.
Unfortunately it may lead to inconveniences, though for high-profile account (such as admins), it should be considered a necessary evil good.

I agree about its use for admin accounts. The reason I didn't bring it up is that I also like to keep the amount of user profile information collected to a minimum and to continue to provide an option for pseudonymity - you make this really difficult when you add two-factor authentication which usually relies on mobile phones nowadays. There could also be hardware crypto tokens generating one-time passwords like those of RSA (where the secret master key recently became non-secret), but this involves purchases which not everyone can afford and which usually break pseudonymous operation. You could do the same with a free but closed-source software, but then you rely on the users' computers to not be compromised - which can work, or not, or something TPM based, but this won't help much there either (and TPM is not universally available and also has its very own privacy issues).

That said, multi-factor authentication is usually the way to go, where it's an option, and it'd be great to have SMF support it (as an option).



Edited to add:

Those of you wondering about how to get way from password reuse, and are using Firefox and its password store, please have a look at these fine add-ons:
Password Reuse Visualzer
Saved Password Editor

Those add-ons and an hour of your time is all you need to get back on par with current password security. Maybe a good key generator like that of keypass would make another good addition, depending on the password scheme you use.

Anyone who is wondering about how to improve their password hygiene may want to take a look at this great article on this very topic:
http://www.h-online.com/security/features/Password-protection-for-everyone-1795647.html

[Ambrosia]

Ambrosia,

Please keep in mind that if you're unsure which password you used and you might suspect you used the same password elsewhere: you should change the password at the other sites were you used it.
That will prevent any possibility for your site to get compromised.

Thanks

I will. I think I have changed almost all of my passwords in the last year from other sites getting hacked anyway.

Cheers!

[SD-X]

I'm starting to get a bit worried now. SMF wasn't the only major website attacked this week. Apparently Ubuntu Forums, and a major UK webhost known as "OVH Systems" were also breached:

http://ubuntuforums.org/announce.html
http://forum.ovh.co.uk/showthread.php?t=6699

I'm beginning to wonder if the attacks are related. I know thousands of websites around the world are always being attacked...but to have three major ones hit within days of each other and have similar data stolen is a bit surprising.

[a10]

*anything* is possible... take a look at this ATM hack:

http://www.youtube.com/watch?v=WZF4CnMCEsY

[Kindred]

Did you even bother reading the whole message?  We already noted that several of these attacks are pretty certainly the same individual or group...  And used the same attack vector of shared passwords.