Page 1 of 3

CHANGE YOUR PASSWORD!!!

PostPosted: Tue Oct 01, 2013 5:01 pm
by russ
Sometime this morning, several files on the forum were maliciously changed causing errors when loading pages.

After I was made aware of the issue, I googled the errors and saw that they could be from a compromise to the forum files. Sure enough, that was the case.

I followed the steps recommended by the forum software's support, necessitating that the forum be shut down today while I made backups, changed server passwords, removed the changes to the files and checked for further issues.

Unfortunately, it looks like one of the checks that I ran restored the original style configuration, and I've managed to get the style back so it fits within the site, but it will take a bit more work to get things looking like they used to. I'll continue to work on that, but my main concern is ensuring that the forum software is updated and doesn't get compromised again.

UNFORTUNATELY this means that if the site files were able to be changed, they were also readable, including the file that contains the forum's database password. With access to the database, the attacker has access to all forum member's email address and encrypted copies of passwords. Since we all know that encrypted data can eventually be unencrypted, I would STRONGLY URGE you to change your forum password IMMEDIATELY. You can change it under "Edit Account Settings" in the User Control Panel > Profile.

More importantly, if you were using the same password anywhere else with the same e-mail/details then you should also change it there.

Please let me know if you have questions and I'll try to answer them to the best of my ability.

Re: CHANGE YOUR PASSWORD!!!

PostPosted: Tue Oct 01, 2013 5:05 pm
by BlahBlah
More importantly, if you were using the same password anywhere else with the same e-mail/details then you should also change it there.

Re: CHANGE YOUR PASSWORD!!!

PostPosted: Tue Oct 01, 2013 5:11 pm
by russ
True. Thanks. I've added that bit to the original post.

Re: CHANGE YOUR PASSWORD!!!

PostPosted: Tue Oct 01, 2013 5:11 pm
by :::
Wow, that sucks. Thanks for your efforts. Do you know who did this?

Re: CHANGE YOUR PASSWORD!!!

PostPosted: Tue Oct 01, 2013 5:14 pm
by Major
If they hacked into my PMs Kerble's dick is gonna be all over Reddit soon.

Re: CHANGE YOUR PASSWORD!!!

PostPosted: Tue Oct 01, 2013 5:14 pm
by russ
I don't know at this point who did it. Probably just some script kiddie.

Re: CHANGE YOUR PASSWORD!!!

PostPosted: Tue Oct 01, 2013 5:14 pm
by :::
Major wrote:If they hacked into my PMs Kerble's mom is gonna be all over Reddit soon.

kmyp

Re: CHANGE YOUR PASSWORD!!!

PostPosted: Tue Oct 01, 2013 5:18 pm
by Major
Oh there's been an r/kerblesmom for years

Re: CHANGE YOUR PASSWORD!!!

PostPosted: Tue Oct 01, 2013 5:29 pm
by squarewave
Done.

Thanks for your work on the forum.

Re: CHANGE YOUR PASSWORD!!!

PostPosted: Tue Oct 01, 2013 6:31 pm
by Rémy
Thank you Russ for the infos.

Re: CHANGE YOUR PASSWORD!!!

PostPosted: Tue Oct 01, 2013 6:38 pm
by fredrock
:smt023
Nice work Russ
U is the buss
When it comes to a fixin'
The internet muss

(extreme poetic license imposed)

Re: CHANGE YOUR PASSWORD!!!

PostPosted: Tue Oct 01, 2013 6:42 pm
by Jodi S.
I have a question about passwords in general.

If you use elements of, say, your Electrical PW in another PW (but not the exact PW) are those at risk also?

This might just be the incident that has me kill off my old email address for good.

Re: CHANGE YOUR PASSWORD!!!

PostPosted: Tue Oct 01, 2013 6:56 pm
by Adam Sr
Thanks for the advice, but I'm sticking with 'ah84ghwaklhd'.

Re: CHANGE YOUR PASSWORD!!!

PostPosted: Tue Oct 01, 2013 7:05 pm
by Frank Decent
Done. Thank you.

Re: CHANGE YOUR PASSWORD!!!

PostPosted: Tue Oct 01, 2013 7:10 pm
by BlahBlah
Jodi S. wrote:I have a question about passwords in general.

If you use elements of, say, your Electrical PW in another PW (but not the exact PW) are those at risk also?

This might just be the incident that has me kill off my old email address for good.


No. Password storage generally works by storing a hashed version of the password, i.e. one that has been run through some cryptographic hash function. There are a bunch of factors that go into the creation/decision of these algorithms but one of them is that similar input shouldn't map to similar output, so JodiPassword1 and JodiPassword2 will be stored in the database with completely different values and it should be impossible to relate the two by looking at the hashes.

Attacks on the encrypted passwords are usually carried out using a very large pre-computed table of the hashes of various passwords. Each of these values can then be searched in the DB and then for matching users their password is known. So actually if there is an extremely dedicated attacker who wants to access your accounts on other sites and knows matching details then they *may* be able to get your Electrical PW and manually guess the other parts but if your other passwords aren't as simple as <PRFPassword>1 then this is extremely unlikely. It's all just going to be automated scripts trying out these things anyway.

Also, thanks Russ!

(and, yes, to pedantic people: salts to prevent rainbow table attacks, etc, and there's so much more to talk about. I imagine this site doesn't store salted+hashed passwords since I think phpBB2 didn't do that. Some interesting things to discuss in the comp sci thread maybe!)

Re: CHANGE YOUR PASSWORD!!!

PostPosted: Tue Oct 01, 2013 7:39 pm
by Bro Shark
Thanks, I changed it to "Password123".

Re: CHANGE YOUR PASSWORD!!!

PostPosted: Tue Oct 01, 2013 8:08 pm
by lemur68
fredrock wrote::smt023
Nice work Russ
U is the buss
When it comes to a fixin'
The internet muss


BURMA SHAVE

Re: CHANGE YOUR PASSWORD!!!

PostPosted: Tue Oct 01, 2013 8:19 pm
by Colonel Panic
Jodi S. wrote:I have a question about passwords in general.

If you use elements of, say, your Electrical PW in another PW (but not the exact PW) are those at risk also?

This might just be the incident that has me kill off my old email address for good.

It's unlikely, but theoretically, yes. It depends largely on how much similarity exists between your other password and your EA Forums one. The more similarity exists, the more the uniqueness and integrity of your password is compromised. That's why they say you should never use the same word in passwords for multiple sites in recognizable patterns such as "googleswordfish," "yahooswordfish" and "electricalswordfish." There are password cracking algorithms that use "dictionary attacks" coupled together with the "rainbow tables" technique mentioned by BlahBlah above that do actually automate the process of brute-forcing passwords. Add to that the fact that (as BlahBlah also mentioned) PHPBB doesn't salt hashed passwords by default, plus the distinct possibility of the attacker sharing our forum's ~/etc/password list file for all his friends to have a crack at.

If I were you, I'd play it safe and change any passwords for other sites that share similar words or long character sequences with your EA password.

Re: CHANGE YOUR PASSWORD!!!

PostPosted: Tue Oct 01, 2013 9:58 pm
by :::
Colonel Panic wrote:
Jodi S. wrote:I have a question about passwords in general.

If you use elements of, say, your Electrical PW in another PW (but not the exact PW) are those at risk also?

This might just be the incident that has me kill off my old email address for good.

It's unlikely, but theoretically, yes. It depends largely on how much similarity exists between your other password and your EA Forums one. The more similarity exists, the more the uniqueness and integrity of your password is compromised. That's why they say you should never use the same word in passwords for multiple sites in recognizable patterns such as "googleswordfish," "yahooswordfish" and "electricalswordfish." There are password cracking algorithms that use "dictionary attacks" coupled together with the "rainbow tables" technique mentioned by BlahBlah above that do actually automate the process of brute-forcing passwords. Add to that the fact that (as BlahBlah also mentioned) PHPBB doesn't salt hashed passwords by default, plus the distinct possibility of the attacker sharing our forum's ~/etc/password list file for all his friends to have a crack at.

If I were you, I'd play it safe and change any passwords for other sites that share similar words or long character sequences with your EA password.

Good to know. I've now also changed the password for the email account with which I registered to post here.

Re: CHANGE YOUR PASSWORD!!!

PostPosted: Tue Oct 01, 2013 10:36 pm
by SecondEdition
Thanks. Changed the email address (which was dead) and the password.