IMPORTANT: Community security breach

[Tiny Clanger]

Ah spit, not another one 

Re the Ubuntu hack: from the alleged hacker    www.twitlonger.com/show/n_1rlft0d

And on the practicalities: a recent answer elsewhere     security.stackexchange.com/questions/12994/whats-the-practical-limit-for-rainbow-table-based-bruteforce

Excuse the non-active links - I'm new here.

[tomreyn]

Counted from first alert to when the mails first started being sent out. Due to various factors that are beyond the control of this site, we can't send all 300000 messages at once. It takes a bit of time to push that many messages out.

Yes, good point, I guess that if you wanted to send out that many e-mails within a shorter period it just requires resources the typical free software project doesn't have access to. MegaGlest, which I contribute to, is in the same situation, though on a lower scale; we rely a bit on the infrastructure sourceforge.net provides, though, which, while attaching (sometimes ugly) sponsor messages, is free of fees, nice and stable most of the time. I also didn't realize it's that many, apologies for the ignorance.

So please do not go this route, the very, very most homebrown crypto and hashing mechanisms just fail miserably during the design phase, but their developers do not realize it.

If anything, SMF would probably move to something like bcrypt, PBKDF2, or scrypt.

Personally, I'm in favor of PBKDF2 as it's had a lot more scrutiny and comes from RSA. The problem is compatibility issues. For anything fancy, you'll need PHP 5.5 or newer. There is a compatibility library that allows bcrypt on older PHP versions, but it's 5.3.7 and newer only. There are a lot of hosts on older versions (RHEL/CentOS 6 are only up to 5.3.3, and I don't know if the bcrypt flaw was patched in their packages).

Thanks for explaining how much consideration goes into this, I guess this gives a better impression of why something more modern hasn't been implemented, yet. I'd still love to see some mechanism which leaves the ultimate choice to the site admin, but I do see how this involves even more work, and maybe too much. Surely those (fixed) options you discussed sound pretty good, and are not homebrown at all (which will be good).

you make this really difficult when you add two-factor authentication which usually relies on mobile phones nowadays. There could also be hardware crypto tokens generating one-time passwords like those of RSA (where the secret master key recently became non-secret), but this involves purchases which not everyone can afford and which usually break pseudonymous operation. You could do the same with a free but closed-source software, but then you rely on the users' computers to not be compromised

Not necessarily. Something like Google Authenticator would work well. It's based on RFC 6238 and there are plenty of open and closed software products that implement it on desktop software and mobile devices.

At some point you have to trust you have done enough. Might I note that RSA had a breech of their SecurID database a while back, exposing the seed data for their customer's hardware tokens for customers who chose for RSA to retain that data.

Yeah, I read about it, quite the worst case incident.

Google Authenticator should be a good multi-factor authentication option indeed, I hadn't thought of that, good point there.

Anyways, I'm glad to know that there are so considerate developers in SMF, it makes me think we made the right software choice after all. And I appreciate the development + support team's work, thanks everyone!

[青山 素子]

Thanks for explaining how much consideration goes into this, I guess this gives a better impression of why something more modern hasn't been implemented, yet. I'd still love to see some mechanism which leaves the ultimate choice to the site admin, but I do see how this involves even more work, and maybe too much. Surely those (fixed) options you discussed sound pretty good, and are not homebrown at all (which will be good).

SMF might switch to something more complex very soon, assuming hosts upgrade. The problem, of course, is that long-lived popular server distributions like RHEL/CentOS are still using PHP 5.3.3 in their latest stable releases. What they are doing makes sense for them, but it does make it a bit tough when one wants to use newer functionality. (Luckily, there are repositories like IUS that help.)

There are plenty of good solutions out there, the problem is compatibility.

Anyways, I'm glad to know that there are so considerate developers in SMF, it makes me think we made the right software choice after all. And I appreciate the development + support team's work, thanks everyone!

Just to note, I'm not a developer on this project.

[samrfactor]

Gracias por la info simplemachines! Es una lastima esta noticia, una consulta, existen mayor riesgo en usar la version 2.0 rc5? Que dios nos ayude.

[Kindred]

wow. If you are running 2.0RC5, you need to upgrade ASAP. This specific hack instance was not related to any security issue in the SMF Software... however, there have been NUMEROUS security fixes in the 5 versions between 2.0RC5 and 2.0.4

[Chalky]

Kindred this user has just begun converting from vB 4.2, so he may have no choice but to land on RC5 (I haven't looked into the converters).

samrfactor, una vez que tengas hecha la conversión de vB debes mejorar tu versión de SMF a la más reciente, 2.0.4, para asegurar la seguridad de tu foro.  RC5 es viejísimaaaa

[tumbleweed]

*anything* is possible... take a look at this ATM hack:

http://www.youtube.com/watch?v=WZF4CnMCEsY

Barnaby Jack the researcher who had shown proof of concept for ATM hack just passed away
http://news.cnet.com/8301-1009_3-57595776-83/atm-hacker-barnaby-jack-dies/

Just FYI is all...

[Ddnhf]

I'm curious to know what encryption method you guys are using.

Example;
MD5
SHA1
Blowfish
BCrypt

On a site I'm working on, I encrypted my passwords like so: sha1(md5(sha1(mysql_escape_string(htmlspecialchars(stripslashes(strip_tags($_POST['password'])))))))
When I attempted to decrypt the passwords, they were either not found, or appeared as another encryption. And the others are to prevent SQL injection.

Also, using PDO is very important as it's more secure than using mysql_* and mysqli_* functions.

[NanoSector]

We are using sha1. Also this has nothing to do with security of the software, but keeping passwords unique and secure.

Using nested encryption methods will just slow things down for the hacker.

[SD-X]

"This is !!NOT!! a security issue with the SMF software."

Indeed it is. The problem is that the admin page of SMF allows to download database dumps. In my opinion, that's a hole which cannot get any bigger. Why do you have this feature at all? Backups should be done separately (e.g. by a weekly cron job on your server, or directly through the web hosting provider, or ...). It's not a task of the forum software, despite the fact that most forums offer it. Think about it! Don't put convenience over security.

BTW: I almost need 5 or more attempts for your verification image. Very annoying

1. Let's just remove all admins then. Everything they can do is dangerous to the forum!!!
/sarcasm

2. If it took you five attempts, then you keep making typos. That is a security feature itself. You just said we should remove a feature for security reasons, but you're complaining about another which provides some from spam attacks. Come on man, you can't have it both ways...



@ All SMF Devs: Thank you guys. Although I'm still a bit worried due to the massive number of similar attacks happening worldwide on the internet right now which could be related, it's nice to see that you guys indeed stepped forward to notify people, despite the bad image it may portray to some. That is honorable above all, and you have my respect for it. Trusting you guys with my data is one of the major reasons why I prefer your software over many others. At least I know I can be confident that you'll do everything to keep it safe, even when I'm hosting the forum software on my own website itself.

[kat]

I, for one, appreciate everything you said, there, matey!

[kat]

[Ddnhf]

We are using sha1. Also this has nothing to do with security of the software, but keeping passwords unique and secure. Salting the SHA1 password *should* make it more secure.

Using nested encryption methods will just slow things down for the hacker.

SHA1 itself is not completely secure, there are websites that offer to decrypt SHA1 passwords.

Code Select Expand


$salt = rand(1000000,99999999);
$hashed_pwd = sha1($password . $salt);


[SD-X]

I, for one, appreciate everything you said, there, matey!

And I appreciate all the work you guys do, so thank you too!

[kat]

We enjoy it! (Most of the time)

I guess we're all masochists, really.

[SD-X]

We enjoy it! (Most of the time)

I guess we're all masochists, really.

Well dear friend, sometimes it takes hard work, sweat, and Hell on Earth to make dreams come true...but in the end, it's all worth the fight you put up for it.

[kat]

It does, at that.

There ARE times when you think "******, this is doing my braincell in" and feel like giving it up, I have to confess. (Maybe it's coz I'm old and falling to bits, that)

There's always some happy, sparkly person comes around, though, to cheer me up, again.

[SD-X]

It does, at that.

There ARE times when you think "******, this is doing my braincell in" and feel like giving it up, I have to confess. (Maybe it's coz I'm old and falling to bits, that)

There's always some happy, sparkly person comes around, though, to cheer me up, again.

It's not just you man. It happens to everyone. The fact that you push through and keep going to reach your goals only proves further of how worthy you are to be making the project a reality.

[kat]

Oh, I'm just a minion who tries to help people, when things screw up!

The people who do the REAL work kinda hide in cupboards, somewhere, clickity-clacking on keyboards...

[Chalky]

.... and occasionally demand cups of tea