IMPORTANT: Community security breach

bdtcomp · July 27, 2013, 08:18:40 AM

I changed my password. Thank you.

neothemachine · July 27, 2013, 08:59:03 AM

"This is !!NOT!! a security issue with the SMF software."

Indeed it is. The problem is that the admin page of SMF allows to download database dumps. In my opinion, that's a hole which cannot get any bigger. Why do you have this feature at all? Backups should be done separately (e.g. by a weekly cron job on your server, or directly through the web hosting provider, or ...). It's not a task of the forum software, despite the fact that most forums offer it. Think about it! Don't put convenience over security.

BTW: I almost need 5 or more attempts for your verification image. Very annoying

Kindred · July 27, 2013, 09:05:16 AM

oh, for the love of gods....

You didn't even bother to read the thread, did you?
We've already discussed this, SEVERAL TIMES.
The hacker did not access the database through the SMF database backup function.

Nomae · July 27, 2013, 09:17:39 AM

I'm afraid I am not well versed in using my forum site so this information has me asking the following question: what does this mean exactly?

First, you use the acronym "PM" what is that? I'm pretty sure I haven't shared any passwords so I must not have shared them via "PM" but I'd like to be sure.

Second, what user database was hacked? Just the one with my admin login to my forum, the user database that I just used to log into this forum site, does it include all the users of my forum?

I'm not sure to what extent I have to react to this.

I have changed the admin password on my forum site but don't know if I have to do more.

Please advise.

Chalky · July 27, 2013, 09:24:31 AM

Hi Nomae, PM refers to the personal messaging system

As long as the admin password you use on your forum is different from the one you had used here, your forum and your users should not be affected. It's always a good idea to change the password anyway though

Kindred · July 27, 2013, 09:30:46 AM

The database HERE on simplemachines.org was hacked.

If you do not use the same password on any other site, then the only thing you need to do it change your password here.
If you DO use the same password across multiple sites then (first, naughty user) (second, change your password on all sites which you previously used a shared password -- and don't share the same password between multiple sites again)

Your own database and site was untouched (by this specific attack)

French · July 27, 2013, 09:54:15 AM

Would surely also involve team members in this case

Team members have access to some private section of a forum, seems to me you don't want to find items from this private section up on the street, when the login details of team members being hacked

dhaya.b · July 27, 2013, 10:20:25 AM

$:-\$ unfortunately i never use same password for multiple sites... even though from now i will change my password periodically ..

FrizzleFried · July 27, 2013, 11:10:33 AM

Quote from: Kindred on July 27, 2013, 07:58:21 AM
Forcing password changes every x days is a sure way to make certain that people use insecure passwords.

Agreed. My employer tried this... new password weekly. It was HELL. Especially since you couldn't use your last 15 passwords or some such nonsense...

FrizzleFried · July 27, 2013, 11:16:00 AM

I got my email... 3:24AM this morning... AND THIS HAPPENED BACK ON XX/XX/XX AND I AM JUST GETTING.... er... wait...

...nevermind.

- D-Monga

Chalky · July 27, 2013, 11:20:20 AM

LOL

cmre · July 27, 2013, 12:03:57 PM

How can I change my password?

Shambles · July 27, 2013, 12:04:58 PM

^--- there's always one.

LiroyvH · July 27, 2013, 12:06:13 PM

Quote from: cmre on July 27, 2013, 12:03:57 PM
How can I change my password?

In your profile under account settings

tobyf · July 27, 2013, 12:12:12 PM

Kinda glad that I used my "cheapest" password for this forum now.

On a related matter, I despise forums that try to force complex passwords on users. Numbers and letters? NOT GOOD ENOUGH! It must be uppercase letters, and at least a symbol too. I mean, give me a break, this isn't like national security or something, it's a simple website run by John Doe, and they're probably dumping my password into their database either plain text, or SHA hashed - an algorithm that's been designed to be as fast as possible, so an attacker can try millions of passwords a second. Few people use proper password hashing functions, such as bcrypt.

Anyway, glad that at least SMF didn't force that on us. That way I could use a simple password, which I don't care about, but that I'll change anyway.

_{Usually if some random site forces me to use upper-case, lower-case and numbers, I use 'Password123'. It has all of that, so it just GOT to be great, right guys.
PS.: 12:12:12 get !}

Quote from: FrizzleFried on July 27, 2013, 11:10:33 AM
Agreed. My employer tried this... new password weekly. It was HELL. Especially since you couldn't use your last 15 passwords or some such nonsense...

Use whichever password you would use, and add week of the year, and the year itself to it. BAMM - insta-secure!

mbail3y · July 27, 2013, 12:17:38 PM

Quote from: Kindred on July 27, 2013, 09:05:16 AM
oh, for the love of gods....

You didn't even bother to read the thread, did you?
We've already discussed this, SEVERAL TIMES.
The hacker did not access the database through the SMF database backup function.

That's the way I interpreted the email as well and I'm definitely not going to read 19 pages of posts.

On the 22nd of July 2013, it was discovered that unauthorized access to our website and database has been obtained on the 20th of July.
The method is similar to the hacks that were recently conducted at other websites, even though those sites used other software.
One of the admin accounts password was discovered, and from there further escalation wasn't too difficult considering admin privileges can do just about anything.

royster · July 27, 2013, 12:18:32 PM

Much appreciation for the heads-up. Our two websites have multiple Administrators (all trusted) and we lost one of our SMF sites for two weeks. It was not clear what the problem was, but it appeared to be within our server.

I posted your e-mail for all members to see on both sites.

French · July 27, 2013, 12:21:43 PM

Quote from: tobyfAnyway, glad that at least SMF didn't force that on us. That way I could use a simple password, which I don't care about, but that I'll change anyway.

The regular users is not the group to which I referred

Quoteadmins and team members are forced to change (date of expiry provided) their password on a regularly base ,it is clear and it is shown that this group in this particular case seems to be the weakest link.

Kindred · July 27, 2013, 01:17:42 PM

doesn't matter if your target only a limited group or everyone - forcing time-limited passwords results in many more insecure passwords than otherwise.
Additionally, it doesn't stop the user(s) from changing the password here and then making all their other passwords to match...
So, you suggestion is essentially pointless. Sorry.

Policy and education works more effectively than programmatically forcing users (or even just admins) to "comply"

青山素子 · July 27, 2013, 01:24:51 PM

Quote from: tobyf on July 27, 2013, 12:12:12 PM
they're probably dumping my password into their database either plain text, or SHA hashed - an algorithm that's been designed to be as fast as possible, so an attacker can try millions of passwords a second. Few people use proper password hashing functions, such as bcrypt.

Just so you know, SHA1 was the best choice at the time. Yes, technology has caught up to make SHA1 less than ideal for anything but checksumming. However, PHP's bcrypt implementation had security flaws until 5.3.7 and the password_hash function using bcrypt didn't exist until 5.5.0. SMF 2.0 predates those PHP versions.

News:

IMPORTANT: Community security breach

French

French