Slashdot Mirror

← Back to Stories (view on slashdot.org)

Drupal.org User Accounts Compromised

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes "The Drupal.org team released a bulletin this evening notifying users of a breach in their infrastructure. From the bulletin: 'The Drupal.org Security Team and Infrastructure Team has discovered unauthorized access to account information on Drupal.org and groups.drupal.org. This access was accomplished via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself. This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally. Information exposed includes usernames, email addresses, and country information, as well as hashed passwords... All Drupal.org passwords are both hashed and salted, although some older passwords on some subsites were not salted.' Users are encouraged to update their Drupal.org passwords and the passwords of any accounts that could be linked via the compromised information."

15 of 60 comments (clear)

  1. Re:third-party software? by Crudely_Indecent · · Score: 3, Interesting

    They probably don't know what happened.

    If I was a hacker, attempting to gain user account passwords - here's how I'd do it:
    1. I'd breach the server and install something that would capture newly submitted raw passwords prior to them being salted/hashed
    2. I'd inform the site owner that I'd hacked them and provide some proof. The site owner then warns everyone to change their passwords.
    3. New, fresh, raw, non-salted, non-hashed passwords come flowing in.

    Rainbow tables and brute-force password cracking is resource intensive. Why not grab 'em while they're in the clear?

    --


    "Lame" - Galaxar
  2. Re:If only SSO ... by muphin · · Score: 2

    or if this "federated single sign-on strategy" were compromised, all accounts on all websites would be affected.

    --
    It's not a typo if you understood the meaning!
  3. Passwords? More like passsentences. by Anonymous Coward · · Score: 5, Funny

    As a recent Ars Technica article has uncovered, it is possible for a dedicated and knowledgeable attacker to reveal as many as 90% of passwords in a database. The sophistication of password cracking has never been higher, and common advice such as "use a mix of numbers, symbols, and uppercase letters" is no longer sufficient to fully ward a salted and hashed password from either compromise or ultimate flavor.

    While brute force cracking is rendered useless by any properly implemented password system, hackers have responded by tailoring dictionary attacks using techniques such as the following:

    • * Uppercase, in languages such as English, Japanese, or Spanish, typically appears at the beginning of a password, while symbols and numbers usually show up at the end.
    • * Combinations of words, such as the famous "horsebatterystaple" or the lesser known "walruspusflange", while suggested to extend the length of a password and reduce its susceptibility to brute forcing techniques, may nevertheless leave it vulnerable to directory combining attacks. Common passwords attached to each other sometimes reveal other passwords.
    • * Upwards of 50% of passwords contain the winner of the most recent Super Bowl, World Series, or Eurovision Song Contest, or some combination of letters used to spell such.
    • * Custom password dictionaries are available for passwords created by mashing the palm of the hand from left to right on the keyboard, and more are in development for mashing right to left (for RTL languages.)

    So, how to keep your password safe in this age of uncertainty? Well, there is no sure way. But consider the following to stay one step ahead of the bad guys:

    • * Use a password length of 100 characters or greater, including a mix of uppercase letters, numbers, and symbols.
    • * Work out what your usual password is in EBCDIC, and enter it using the Alt key and your keypad.
    • * Invent a language with a million characters, get it accepted in Unicode, and develop a gigantic keyboard for it. Or learn written Chinese.

    Once compromise happens, you have to assume your passwords will be known by the attackers before you do. Regularly changing your password is part of good Internet hygiene, so you may want to look for software that can automatically do this for you every minute or so. You may also want to consider two factor verification, typically a password and an application on your cellphone that gives you an access code, or three factor verification, which includes with the preceding an application on your friend's cellphone that gives a second access code that he'll send you on request. You cannot be too safe these days.

  4. Re:third-party software? by Wraithlyn · · Score: 4, Informative

    This is why you rebuild your compromised environment. Which is exactly what the bulletin says they did.

    --
    "Mind, as manifested by the capacity to make choices, is to some extent present in every electron." -Freeman Dyson
  5. Re:If only SSO ... by manu0601 · · Score: 2

    No, there is no central place in federated single sign-on . In order to compromise all accounts, you would need to compromise aill identity providers.

  6. Re:vulnerability fatigue by TheRealDevTrash · · Score: 3, Funny

    Joomla. now there's a secure CMS.

    --
    I used to be /dev/trash but Slashdot no longer allows slashes for usernames.
  7. The End of Passwords by rueger · · Score: 3, Insightful

    I'll admit to a) reusing the same password on most forums, since it largely wouldn't matter if someone accessed them. b) using shorter passwords for most stuff, and long complex ones for the handful of places that actually need security, a c) Using the "Forgot Password?" link on most web sites that I don't visit often and just accepting whatever reset they offer.

    It's time to acknowledge that passwords are an idea that has come and gone. Too much hassle. Too many different password specifications from site to site. Too many to remember. Too many poorly constructed sites trying to tell users that bad security is their fault for not have super long and complex passwords. Too many sites where I actually now have three or four user IDs and passwords because I couldn't remember the last password I used there, or had changed my e-mail address since last visiting.

    And too many sites, banks especially, that still demand to know my mother's maiden name, or worse yet, arcana from my youth that I don't even remember. My first pet's name? My favourite TV show? I have no idea. Or likely would answer that differently a month from now.

    It's no wonder that most people ignore all of the password edicts that are thrown at them, and never change anything, and use the same password everywhere.

    Surely we can develop some new way of confirming people's identity that allows us to abandon the idea of passwords? I vote for an RFID pinky ring with a plug in USB reader on my computer.

    --
    Three Squirrels
    1. Re:The End of Passwords by SplatMan_DK · · Score: 3, Insightful

      Sounds like you need a simple mechanism for unique passwords. I have a suggestion for you to consider.

      Personally - I "salt" a standard password with the name of the website: the first initial of each of the words in a site's name for example. If my 'standard' password was for example "Aware20130530ness", and I was signing up for slashdot, I can simply add the letters to the start of the password, resulting in "sdAware20130530ness"

      Right, clever boy, and now that you have revealed this, it will be trivial for any cracker to include this pattern in their decryption script ... if it isn't already there (which is not impossible at all). Commonly used patterns such as the one you describe can be identified mathematically and easily applied to the decryption process. The added work of even 100 patterns absolutely pales in comparison to real brute-force, so you should expect crackers to get past your "salt" real easy.

      Making patterns like yours from the name of the website, or information in the usertable, is standard operating procedure when cracking.

      Stop doing it. It does little to help you. At the very least you should use a pattern containing characters not present in the website name, and not present in your user properties on the site in question.

      - Jesper

      --
      My security clearance is so high I have to kill myself if I remember I have it...
  8. Re:what is the third party software? by kbahey · · Score: 3, Insightful

    It is known, but they did not name it publicly because the investigation is still ongoing.

    --
    2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
  9. Re:Passwords? More like passsentences. by magic+maverick+ · · Score: 2

    Your post is almost totally plausible. Where it particularly falls down though is that Japanese doesn't have any conception of capital and lower case letters. The kanji are just Chinese characters (by and large), and the kana only have one form for most (there are small versions of some kana, but they play a different role in words to the large versions, unlike in English where the capitals still play the same role in the word, but affect grammar). (Though there are two types of kana, the point still stands.)
    And smashing the keyboard to get dictionaries is funny. I had to think about it for a bit, and you know, it's still plausible. But, build the dictionaries from the home row keys I think. (Most of my "random" passwords have asfd in them.)

    And of course the trouble with using spaces and non-latin chars in your passwords is that many systems just don't accept them. Or accepts them when initially entering your password, but silently fails; so you end up not knowing what your password is, because the system has converted the Japanese kanji to something weird, and then doesn't do the same conversion for login.

    --
    HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
  10. What method was used? by SplatMan_DK · · Score: 2

    While current phpass implementations support bcrypt it has not always been so, and the framework support many different methods.

    The article doesn't admit which method was used (suggesting they're not proud of their choice perhaps?). Does anyone know what method was used?

    The articles at Ars mentioned by multiple ./ers here, were based on MD5 (which is totally unsuitable for passwords btw). So don't panic until the method used by drupal.org has been revealed.

    - Jesper

    --
    My security clearance is so high I have to kill myself if I remember I have it...
    1. Re: What method was used? by Anonymous Coward · · Score: 2, Informative

      Nope. They're in the upgrade process. It's currently based on Drupal 6... Which is md5 by default

  11. Re:vulnerability fatigue by SplatMan_DK · · Score: 2

    Anyone else sick to death of Drupal-related security issues?

    Trolling as AC ... and making it clear you really didn't RTFA ... ;-)

    The breach was in a 3rd party module installed on the servers, and is totally unrelated to the Drupal codebase.

    Trolling fail! :-)

    --
    My security clearance is so high I have to kill myself if I remember I have it...
  12. Re:And remind me by SplatMan_DK · · Score: 2

    why I need to pick a "secure password" again?

    Doh! Because if your password is "secure" it can't easily be decrypted in the exact scenario described here? :-)

    All the weak passwords are the ones to fall first. If you used something along the lines of "sFr95y/Gfd0w2_z+3xnMCIr4yl,cdjEO" (and perhaps a password manager to keep track of it) this particular story wouldn't really matter to you at all... ;-)

    - Jesper

    --
    My security clearance is so high I have to kill myself if I remember I have it...
  13. Re:Passwords? More like passsentences. by pongo000 · · Score: 2

    Combinations of words, such as the famous "horsebatterystaple" or the lesser known "walruspusflange", while suggested to extend the length of a password and reduce its susceptibility to brute forcing techniques, may nevertheless leave it vulnerable to directory combining attacks. Common passwords attached to each other sometimes reveal other passwords.

    A silly and false assertion. Assume standard passwords in use. Your "dictionary" would consist of a list of characters ([A-Za-z]), digits ([0-9]), and punctuation. I don't know how many tokens that is, but let's say it's less than a 100. So you end up with a "dictionary" of 100 tokens.

    The passphrase "dictionary" at Diceware consists of 7776 tokens. There is simply no way the argument can be made that a "dictionary" of 100 tokens is somehow more secure than a "dictionary" of 7776 tokens, provided that tokens are selected randomly from either dictionary. That's the key, randomness. Not what you use as your tokens.