Slashdot Mirror
Ubuntuforums.org Hacked
satuon writes "The popular Ubuntu Forums site is now displaying a message saying there was a security breach. What is currently known: Unfortunately the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database. The passwords are not stored in plain text. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP. Ubuntu One, Launchpad and other Ubuntu/Canonical services are NOT affected by the breach."
Um, what? For the base server install you get no network services installed whatsoever (not even SSHd). As for size, a base install of the current server version of Ubuntu is ~64MB of disk space IIRC. That's hardly what I'd call bloated.
Accept Eris as your Fnord and personally sate her
Personally, I'm trying to remember which password I used on it.
Reminds me of an old joke: a man looks glum, his friend asks what's wrong.
The man says "I got a call from some guy, he said to stop sleeping with his wife or he'd kill me."
Friend "Oh, that's too bad."
Man: "The worst part is, he didn't say who his wife was."
I assume that the forum software was hacked. I believe they ran vBulletin which is often hacked. Nothing indicates the underlying OS was hacked.
You'd hope so. That would be standard policy you'd assume by now (hashes are easy), but apparently it's still important to mention this given there are still way too many outfits storing plain-text passwords in their systems.
I remember reading the following advice - if you're unsure about the security of any company with whom you've got a password-secured account with, just check to see if they have some kind of password recovery link on their login page. Normally these links should email you with a temporary password so you can make a new one, but if they happen actually email you with your actual password... RUN!!!
I wonder when they are going to email the userbase with this announcement. I have received no email from them. Perhaps the hacker could alert the userbase as a community spirited gesture.
No, because cracking passwords, even salted one, is ridiculously easy. Hell, take a well salted database, a stolen password list, and a way to compute the password. You can probably find a good chunk of accounts with the basic set of passwords.
Salting just prevents the use of rainbow tables, which means cracking passwords takes a few hours instead of a few seconds. Hell, you probably could use one of those bitcoin miner ASICs to do it - cracking passwords is really just computing hashes, and the R&D in computing hashes faster and faster means hashed and salted passwords are getting easier to crack.
Ars Technica details it better.
http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
Here you go, tlhIngan. If it's so easy, provide the password or a collision in the next 3 days.
tlhIngan:$6$PsLtDfSP$SISVIa7tbcxdIN6StnZMF.l6Vw1/mZFIrKmNUAidG7k090l5bLUqBZF/ItMU2A0RzhHQyMnH40t67tIVl.6VB0:15907:0:99999:7:::
I'll even cheat and tell you it's a combination of upper, lower, punctuation and numbers...
I remember reading the following advice - if you're unsure about the security of any company with whom you've got a password-secured account with, just check to see if they have some kind of password recovery link on their login page. Normally these links should email you with a temporary password so you can make a new one, but if they happen actually email you with your actual password... RUN!!!
Because that's a totally accurate way of judging their security. Sarcasm aside, it's possible to use hashes badly (like unsalted MD5) and it's possible to encrypt passwords so that they're secure in the database and yet still retrievable (because the vast majority of attacks involve revealing database information, not executing code or downloading files).
Guess what the best advice is? Use a different password for every site.
Salting helps against rainbow tables, but its irrelevant to the integrity of the password itself.
The important thing is that the hash is lossy so that even if salt+"abc613" hashes to the value in the database, that there is no reason to believe that "abc613" was actually the password the user was using.. He could have been using "manbearpig", for example. This is a case where longer hash values actually helps the hacker/cracker.
I dont pretend to know what the optimal size of the stored hash should be in order to protect the users passwords, but I think its almost certainly less than 32 bits. 32-bits is wide enough that attempting to find a hash collision at the login prompt is still silly, while also making the information gleaned from a brute force attack of the hash values almost useless.
"His name was James Damore."
Transmitting passwords in cleartext over email is an absolutely terrible practice, and is only made slightly worse by doing so when account holders may not realize anything has happened and thus may be significantly delayed in visiting their accounts to change their passwords once again.
Write failed: Broken pipe
Wrong