IMPORTANT: Community security breach

[SD-X]

Did you even bother reading the whole message?  We already noted that several of these attacks are pretty certainly the same individual or group...  And used the same attack vector of shared passwords.

I'm well-aware of that one, (although I cannot speak for the guy who posted after me). I'm just a bit worried because of the timing between the three sites.

Also, if I'm remembering the original email announcement correctly, the user's password was stolen from another website where he used the same one, which was hacked. Given what has happened to Ubuntu and OVH Systems, it's a bit worrisome. Obviously they are likely not related, but it begs the question of "what if they could be".

[Kindred]

Sugar, obviously you are not aware... or not reading closely enough.

YES! WE ARE FAIRLY CERTAIN THAT THE HACKS ***ARE*** RELATED. The hacks seemed to use the same vector with the same goal (acquire the memberlist and passwords)

[SleePy]

I counted the time between initial discovery (as stated in the forum post) to when the first user on this forum I know received the e-mail announcement. Which is 4 days (July 22nd to July 26).

You may want to count again.  The initial post says the 22nd and this was posted on the 23rd (according to my timezone offset).  The fact you didn't get the email yet or took a while to receive it is something beyond our control.  In fact, I got the initial report as well and I can confirm for in fact that 16 hours is accurate.  There are plenty of sites out there that will help you brush up on first grade math.

I am sure a intelligent person such as yourself knows and understands mass mailing and how it works.  I am sure you understand that services like Google, Yahoo, Hotmail/Outlook do not give a hoot when you are not a large site and they see you sending hundreds of emails to them in a short time period, will think its spam regardless of the contents of the email.  I am sure you understand some people say "I don't want this" and click spam/junk/bulk and after enough can cause a IP to get blacklisted.  I am sure you understand what stress mass mail puts on servers.  I am sure you deal with this all the time for multiple people, setup firewalls, configure spam filters, manage servers and know the ins and outs of how the email goes from start to finish at the lowest levels of the OSI model.  I sure know all of this because its what I do every day and have to understand it, because when I don't, somebody doesn't get their mail, can't get to the "internet" or google blacklists their ip and makes it near impossible to get off the blacklist.

Thank you and have a good day.

[Secretmapper]

What sort of encryption algorithm were you using?

[Kindred]

we use the standard SMF database structure. Please read the previous pages for a full discussion on why the encryption really doesn't matter anyway.

[tassie73]

Thanks for the heads up everyone

Two things spring to mind after wading through all the responses to this topic.

First, looks like this has cleared out a bit of dead wood from SMF and that can only be a good thing. Get rid of those that think they are far superior to the rest of us mere mortals

Second, a huge thanks to all the admins and other SMF team members for their awesome patience in dealing with some really, really, really stupid comments and responses.

And to the admin whose password was compromised, s**t happens. I am sure I have made way worse mistakes than this and yet amazingly here I am!

Take it easy and thanks again.

Chris

[青山 素子]

I counted the time between initial discovery (as stated in the forum post) to when the first user on this forum I know received the e-mail announcement. Which is 4 days (July 22nd to July 26).

16 hours would be really good indeed. How did you measure it?

Counted from first alert to when the mails first started being sent out. Due to various factors that are beyond the control of this site, we can't send all 300000 messages at once. It takes a bit of time to push that many messages out.

So please do not go this route, the very, very most homebrown crypto and hashing mechanisms just fail miserably during the design phase, but their developers do not realize it.

If anything, SMF would probably move to something like bcrypt, PBKDF2, or scrypt.

Personally, I'm in favor of PBKDF2 as it's had a lot more scrutiny and comes from RSA. The problem is compatibility issues. For anything fancy, you'll need PHP 5.5 or newer. There is a compatibility library that allows bcrypt on older PHP versions, but it's 5.3.7 and newer only. There are a lot of hosts on older versions (RHEL/CentOS 6 are only up to 5.3.3, and I don't know if the bcrypt flaw was patched in their packages).

you make this really difficult when you add two-factor authentication which usually relies on mobile phones nowadays. There could also be hardware crypto tokens generating one-time passwords like those of RSA (where the secret master key recently became non-secret), but this involves purchases which not everyone can afford and which usually break pseudonymous operation. You could do the same with a free but closed-source software, but then you rely on the users' computers to not be compromised

Not necessarily. Something like Google Authenticator would work well. It's based on RFC 6238 and there are plenty of open and closed software products that implement it on desktop software and mobile devices.

At some point you have to trust you have done enough. Might I note that RSA had a breech of their SecurID database a while back, exposing the seed data for their customer's hardware tokens for customers who chose for RSA to retain that data.

What sort of encryption algorithm were you using?

SMF currently uses a salted SHA1 hash for passwords. It's not the best option, but it works with all the PHP versions SMF supports. It was also a pretty good choice when SMF switched to it and away from the older MD5 method.

[mashby]

The fact that this topic exists for all to see has a lot of merit for the administrators of SMF. A lot could have been swept under the rug, as in, this topic and the subsequent email could have never been sent and most if not all of us would have never been the wiser. Yes, the situation sucks. It would/might have happened to any site. Better to stand up and be counted in terms of integrity than to live in ignorance. Nice job, SMF, for being up front and honest. Kudos to you.

[cxP57]

That's bad, glad i changed mine

[lynngtx]

Does this affect all forums that are powered by SM?

[Trekkie101]

Does this affect all forums that are powered by SM?

Nope, just this one was breached. If you use the same password here, and on other sites, you'd be best changing them.

[OliB150]

Thanks for letting us all know, the email was quite well crafted to put it in a way for most audiences to understand. Shame it took a while for the email to get to me, but I understand the reasoning behind that (as has been discussed above), so I won't hold it against you!

[ChrisNSF]

Announcement on the 23rd, yet the e-mail announcement arrived just now, on the 27th???

[Chalky]

Woohoo!  I just got mine 

Announcement on the 23rd, yet the e-mail announcement arrived just now, on the 27th???

Read some of the posts above yours for an explanation of the basics of how servers handle emails.

[ChrisNSF]

Woohoo!  I just got mine 

Announcement on the 23rd, yet the e-mail announcement arrived just now, on the 27th???

Read some of the posts above yours for an explanation of the basics of how servers handle emails.

Read a few posts up the thread before posting? That's not my style

So I assume that, after taking the actions in the e-mail, and one's forum seems hunky dory, we're probably good?

And the e-mail was well-worded. I'm computer illiterate, so it was nice that I could read it without it resulting in my sobbing in the corner of the room saying "I don't know what to do!!!" 

[Renissi]

Just got an email too from here...
Sad thing that are idiots, jerks, assholes etc etc who wants destroy other people things...
As I am a member who "never" visit here, I don't care much about my password. It's just 1 password for this site, and nothing more.
I use only 1 password pro forum/site.. But like I sad, it is sad..

Thank you for the email.... Good luck!

[mag07]

Cheers for the notification.  Wish people would stop blaming everyone else but themselves though.  This is a forum, with no sensitive info collected.  If your own password etiquette is poor, then you have only yourself to blame.   ****** happens, and frankly, can't really expect every non profit site on the web to have an ssl, unless you'd be willing to pay for it as part of being in the community.   

If you do things right, then you have nothing to worry about, breach or not; there is no need to blame someone to make yourself feel better

[French]

The key question is. How to try to prevent this in the future?
Perhaps this modification/script with some customization to do may be suitable for this purpose, so that admins and team members are forced to change (date of expiry provided) their password on a regularly base ,it is clear and it is shown that this group in this particular case seems to be the weakest link.

Just a personal thought

[Chalky]

Read a few posts up the thread before posting? That's not my style

So I assume that, after taking the actions in the e-mail, and one's forum seems hunky dory, we're probably good?

And the e-mail was well-worded. I'm computer illiterate, so it was nice that I could read it without it resulting in my sobbing in the corner of the room saying "I don't know what to do!!!" 

At least you're honest about reaching straight for the reply button 

Yes, if you have followed the instructions in the email the hack shouldn't affect you.  Our hacker is on a password gathering-spree with the aim of manipulating re-used passwords to gain access to other sites and repeat.  As long as your passwords have been changed and not reused elsewhere then you should be fine.  Also note that any login information shared via PM and secret questions/answers stored in your profile should also be considered compromised and changed here and anywhere else you may have used the same data, because we are working on the safest assumption that the hacker acquired the whole database.

[Kindred]

Forcing password changes every x days is a sure way to make certain that people use insecure passwords.