Ubuntuforums.org cracker promises no password release “Sputn1k_”, the entity held responsible for stealing 1.8m passwords from ubuntuforums.org, appears to have reassured the world s/he doesn't plan to do anything bad with the credentials. Someone or something using the Sputn1k_ name used Twitlonger to post the following missive: “You can stop worrying about your passwords. Yes …
I'm no crypto expert, but surely paid forum software can do better than md5? I know it's double hashed and salted, but still it would take very little effort from vbulletin to use a better algorithm.
Also a lot of the time improvements made will only effect the one web site with their custom db, but here one bit of effort on vbulletin side would improve many forums security all over the web.
Free software can do better than MD5. I don’t think this was the real problem here. I'd guess that there was some injection hole left open. Once that’s done its largely irrelevant which encryption method is used, and which salts as the cracker probably has pretty much full access to the DB.
It is possible to set these things up with a lot more security - but there is a pay off between security and maintainability and hence cost and a paid for one has profits on top which tend to make it more insecure in the long run.
"It is possible to set these things up with a lot more security - but there is a pay off between security and maintainability and hence cost and a paid for one has profits on top which tend to make it more insecure in the long run."
My experience as a sysamdin is that web "devs" simply chuck things together and if it works, move onto something else. Security isn't even an afterthought.
This is why so many webswervers end up compromised: Crap code, crap attitude. As much as we lock down the OS environment around the webserver it's completely undermined by application coders.
The only practical solution is to treat Webservers as disposable & firewall the hell out of the things - in AND outbound.
I doubt the MD5 vs. SAH-1 etc argument is important, as I suspect large-ish rainbow tables already exist for most common hash functions. At least it was salted, which is more than some DB leaks have shown, though how much entropy the salt has is not stated in the article and that probably is the major factor in the effort to recover a significant number of original passwords.
vBulletin is really really crap at security. The password hashing algorithm is really only the tip of the iceberg. The thing is, once you get control of AdminCP, the server is essentially yours (up to permissions of the SuExec user). You can upload and execute files, run queries, likely even send emails if that's on the same machine as Apache. And what's protecting this tresure trove, you ask? A password prompt and nothing else. No SSL, no guessing usernames (admins are listed on the site), that one text field is literally all that stands between a hacker and complete control of your box.
Not to mention cookies of course. which in vB sometimes don't even get marked as HttpOnly. Yes, that means a bit of XSS could comprimise the entire machine. Starting to see the whole iceberg?
- and I'm being polite here - for doing what he did. For pities sake, it's not like Ubuntu are a third world despotic nation, hell bent on subjugating native tribes with WMD, is it? No, they work as volunteers to release a fairly effective FREE alternative to Windows, iOS, et al, which is used by millions (well, tens of thousands, anyhow) around the globe. And this spotty-faced git decides, on a whim, to upset the apple cart and screw them over? Doesn't bloody matter f he's not going to use the passwords. Doesn't matter much if they were salted, peppered, or covered in tomato sauce: He was wrong to do what he did. End of.
The chuch and the slaughterhouse are equal targets, the principal remains the same. Once you are throught the locked gates however what you do with the "swag" is very important.
There is no point in saying that Sputn1ck was wrong because it does not change the fact that the deed has been done. It is far more imoportant to discuss what can be done in order to prevent further replication or how to avoid making the swag worthwhile.
Firstly Ubuntu is a commercial company that lives off selling their product and support , so they're not exactly volunteers.
Secondly some organizations choose Ubuntu over Windows for security sake.
( Like , say , Tibetan activists )
Perhaps such actions can open some eyes and provoke some thought ,
because _real_ adversaries will not advertise their breach all over the Internet ...
This post has been deleted by its author
PM -
OK, so they sell products to businesses. Big deal. Their distros are still free for personal use, last I checked (which was about five minutes ago, as it happens).
Anyhow, let's see if I have you right on the implied commentary you gave, a couple of posts above:
If I've got you right, you're saying that if you're a commercial entity, then you're fair game for abuse, hacking, and criminal activities designed to really bugger things up for you and your clients/customers, whether or not you are a small, medium, or large biz, or a mega corporation; further, it matters not a jot if you're considered ethical, morally rudderless, good, evil, or anywhere else on the planetary moral compass, if you make a profit, you're fair game. Is that correct? If not, please elaborate?
Richard, I would agree with you if he hacked Debian or Centos , a true non profit idealist org. And Canonical ? They are in it for money, purely. Rarely they contribute something back to Linux community.
Suppose I saw a sleeping guard and I put a flower in a barrel of his gun. Would this be a criminal act -? Perhaps. But he provides some service to the public and does it for money, so should better get his acts together..
*Mutter* It's Roger, not "Richard", Fred.
Putting a flower into the muzzle (and thus down the barrel) of a rifle is unlikely to cause anything other than an amusing photo. It's hardly likely to be a criminal act. Criminally stupid, maybe, but criminally illegal? Not likely.
So, a company that makes a profit is fair game, then? Why? As to Canonical being in it purely for the money, and failing to re-contributing to the Linux community. Um. Not so. Remember, they give their distro away free for *personal use*. It may not be contributing to the community in the form of code, etc, but it's still one hell of a lost leader, as there is absolutely no guarantee that those 'customers' are likely to be IT buyers for their companies, is there?
In any case, this idiot didn't go after Canonical themselves, oh no. He went after their community forums - he went after the users, not Canonical. Try excusing that, if you can.
Again, he's still a tool. And that's being icily polite about it.
Whether this Sputn1k_ fancies himself a whitehat or a blackhat, at the end of the day, the end users personal data will be more secured when Canonical fixes the exploits that allowed the data theft. The implied suggestion that hackers should be morally upstanding and only expose the personal data of customers of big bad governments or large corporates with deep pockets is naive and ethically warped.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
