Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSUSE Forums Defaced, Email Addresses Leaked

Posted by Unknown on from the should've-used-slash dept.

sfcrazy writes "The openSUSE Forums were hijacked yesterday. An alleged Pakistani hacker who goes by handle H4x0r HuSsY reportedly exploited a vulnerability in the vBulletin 4.2.1 software SuSE uses to host the forum. vBulletin is a proprietary forum software. The openSUSE team notes that user passwords were not compromised. 'Credentials for your openSUSE login are not saved in our application databases as we use a single-sign-on system (Access Manager from NetIQ) for all our services. This is a completely separate system and it has not been compromised by this crack. What the cracker reported as compromised passwords where indeed random, automatically set strings that are in no way connected to your real password.' It's shocking to learn that SUSE/openSUSE are using proprietary forum software vBulleting as well as proprietary single sign on solution." SuSE was using vBulletin 4.x which has no known fix for the security hole, and they are leaving the forums offline for now. It seems likely they'll be upgrading to the 5.x series.

82 comments

  1. Shocked that a company uses a product? by Anonymous Coward · · Score: 1, Insightful

    What, maybe they wanted to pay for something, rather than use the open-source alternative, which isn't always the best choice.

    1. Re:Shocked that a company uses a product? by 0racle · · Score: 0

      which isn't always the best choice

      But vBulletin was? Holy shit, what are the alternatives?

      --
      "I use a Mac because I'm just better than you are."
    2. Re:Shocked that a company uses a product? by Hadlock · · Score: 2, Informative

      vBulletin is pretty solid software from an end-user standpoint. It's more or less the standard interface that all other BB software emulates. Even if it's not perfect. It's also easy to administer and is ready to go out of the box. I've seen a lot of open source options that are similar, but vBulletin seems to do it best. I'm a little surprised that the OP would look down on a pretty standard product.

      --
      moox. for a new generation.
    3. Re:Shocked that a company uses a product? by Anonymous Coward · · Score: 0

      I'm a little surprised that the OP would look down on a pretty standard product.

      He should; vBulletin sucks. Granted, everything else sucks worse, but that's like saying, "I'm surprised anybody looks down on Murrica for having a massive number of incarcerated citizens, what with North Korea around and all."

    4. Re:Shocked that a company uses a product? by mlts · · Score: 2

      I'm curious about the NetIQ Access Manager backend. If this is good enough to keep a dedicated intruder out, it might be worth footnoting this product for later use should the need arise to build a forum site for a small business.

    5. Re:Shocked that a company uses a product? by allanjude8027 · · Score: 1

      The attacker in this case was only armed with a known exploit for vBulletin. I am guessing they didn't even know NetIQ was there. Using any external authentication system would be a benefit in the case of a vBulletin exploit, as vBulletin is going to give the attacker full access to your SQL database, so having your passwords stored somewhere else, will require the attacker to be more than a run-of-the-mill website defacer.

    6. Re:Shocked that a company uses a product? by MechanicJay · · Score: 4, Informative

      Access Manager is an extremely capable enterprise class single-sign-on product (It's the current incarnation of Novell's iChain SSO product). I'm using it here to protect about 30+ backed web-applications. I can do access restrictions based on LDAP group memberships, inject identity information in http headers, do behind the scenes form-fill login for applications that wouldn't know what SSO was if it fell on them and so much more. Currently just finished a Radius server integration for 2 factor auth. It's one of the two best pieces of enterprise software I've ever used. (Riverbed's Stingray appliance being the other).

    7. Re:Shocked that a company uses a product? by Anonymous Coward · · Score: 2, Interesting

      Not fully proprietary. One should also just note that SUSE, the parent for openSUSE, is fully owned by Attachmate Group. Attachmate Group acquired Novell and NetIQ. Novell Access Manager was rebranded (recently) to NetIQ Access Manager. SUSE doesn't pay a licensing fee to use software owned by their parent company and, while proprietary, is proprietary to themselves. vBulletin, on the other hand, is third party that they are likely paying a licensing fee for.

    8. Re:Shocked that a company uses a product? by Anonymous Coward · · Score: 0

      add to that, that some of the biggest, busiest forums on the interwebs use vbulletin, including ubuntuforums.com and forums.steampowered.com. that fact that opensuse uses it is hardly "shocking" - the TFA, which the slashdot summary simply copies, is just trying to create controversy where none need exist

    9. Re:Shocked that a company uses a product? by mlts · · Score: 1

      I like the idea of having it in a separate product, on a separate server. Separation of duties 101. To boot, the product can use Google's Authenticator. This isn't the be all and end all in security, but it does provide the website designer with that ability to allow end users to use two factor authentication.

      So far, I've done some work on an appliance that is essentially a separate box that stores username/password hash tuples, prohibits a wholesale dump of files (unless one physically attaches a usb flash drive), and handles the lockouts on the appliance end, so even if the web app and DB got hacked, the username/passwords are out of reach, barring a physical intrusion. However, something like this product stated above seems to do what I've been doing on an amateur level a lot better.

    10. Re:Shocked that a company uses a product? by Hadlock · · Score: 0

      It sucks as a product in 2014, but it also scores as a 6.1 out of 10 on the "good enough"scale, which is why nobody has tried replacing it. It's also why apps like utorrent still exist.

      --
      moox. for a new generation.
    11. Re:Shocked that a company uses a product? by Anonymous Coward · · Score: 0

      In my experience, among the paid options, vBulletin sucks more than the alternatives. Invision Power Board is a relatively blissful experience.

    12. Re:Shocked that a company uses a product? by Anonymous Coward · · Score: 0

      Also of note, IPB officially supports (though at additional cost) databases that aren't MyShitQuality.

    13. Re:Shocked that a company uses a product? by Kalriath · · Score: 1

      No it doesn't. All the other database drivers were phased out (source: I was the poor bastard that maintained MSSQL for it).

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
    14. Re:Shocked that a company uses a product? by Anonymous Coward · · Score: 0

      They could have paid for Lithium or Jive and just let someone else manage them.

  2. SUSE/openSUSE using proprietrary software by __aardcx5948 · · Score: 2

    ... no it's not shocking, you use the best tool for the job.

    1. Re:SUSE/openSUSE using proprietrary software by mcgrew · · Score: 1

      Obviously this closed source software wasn't, in fact, the best tool for the job. If it were it wouldn't have been hacked.

      Honestly, there's so much good comparable open source software out there I'm flabbergasted that Suse uses closed source for it.

      --
      Free Martian Whores!
    2. Re:SUSE/openSUSE using proprietrary software by rujasu · · Score: 1

      ... which vBulletin 4.x clearly was not.

    3. Re:SUSE/openSUSE using proprietrary software by SJHillman · · Score: 2

      Just because something is the best tool for the job doesn't mean it's invulnerable. The best hammers can break even if all you're doing is pounding nails.

    4. Re:SUSE/openSUSE using proprietrary software by amicusNYCL · · Score: 3, Informative

      Honestly, there's so much good comparable open source software out there I'm flabbergasted that Suse uses closed source for it.

      Just because they pay for a license doesn't mean they don't get the source code. The PHP code is right there if they want to go through it, vBulletin simply asks that people pay to use the software.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    5. Re:SUSE/openSUSE using proprietrary software by Anonymous Coward · · Score: 0

      Which is *never* Linux in the wake OS X and Windows 7 not sucking.

    6. Re:SUSE/openSUSE using proprietrary software by poet · · Score: 1

      Mcgrew,

      I would love for you to cite your comment with references to Open Source single sign-on software that is better than the closed source contenders. (I will grant you that it is ridiculous that they were using closed source bulletin board software).

      --
      Get your PostgreSQL here: http://www.commandprompt.com/
    7. Re:SUSE/openSUSE using proprietrary software by Anonymous Coward · · Score: 0

      Nothing is unhackable, hard to do maybe, but not impossible.

    8. Re:SUSE/openSUSE using proprietrary software by Anonymous Coward · · Score: 0

      No, it's not surprising. SUSE is in bed with Micro$oft. https://en.wikipedia.org/wiki/Suse_linux#Microsoft_agreement

    9. Re:SUSE/openSUSE using proprietrary software by Anonymous Coward · · Score: 0

      Because Microsoft makes vBulletin?

    10. Re:SUSE/openSUSE using proprietrary software by Anonymous Coward · · Score: 0

      SUSE != openSUSE

      It is not like Fedora, nor is it like Centos.

    11. Re:SUSE/openSUSE using proprietrary software by Kalriath · · Score: 1

      Shibboleth? Hahahahaha... erm. I'll see myself out.

      But seriously, as another person mentioned, to SUSE, NetIQ Access Manager isn't closed source - it's their own product (well, made my another company in the same group).

      In terms of it being ridiculous that they were using a closed source bulletin board... why is that? They simply decided vBulletin was the best tool for the job, it's not like they were using vBulletin 5 or anything.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
    12. Re:SUSE/openSUSE using proprietrary software by exomondo · · Score: 0

      Obviously this closed source software wasn't, in fact, the best tool for the job. If it were it wouldn't have been hacked.

      So what bulletin board software is unhackable then?

  3. Proprietary, No Cost, Open Source by tomhath · · Score: 1

    People seem to confuse those terms. AFAIK vBulletin is proprietary and charges a reasonable fee to use. I have no idea if the source is available but is appears to be mostly PHP, Javascript, and HTML - so maybe.

    1. Re:Proprietary, No Cost, Open Source by amicusNYCL · · Score: 1

      The system requirements only list various versions of PHP and MySQL. They don't say anything about requiring something to execute encrypted PHP source code, and they don't require any particular OS so it doesn't sound like they ship binaries.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    2. Re:Proprietary, No Cost, Open Source by Kremmy · · Score: 2

      Being a web application written in PHP, the very process of compiling to a binary is rarely ever even brought to the table. The source code is equivalent to the executable code in almost every one of those cases.

    3. Re:Proprietary, No Cost, Open Source by Kalriath · · Score: 1

      vBulletin comes with source. It does not utilise ionCube or Zend encoding.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
    4. Re:Proprietary, No Cost, Open Source by Anonymous Coward · · Score: 0

      Anything that lists MySQL as a requirement should simply not be used.

  4. vbulletin has been going down the drain for.. by Anonymous Coward · · Score: 0

    vbulletin has been going down the drain for years already. this isn't surprising to say the least.

  5. vBulletin has been a security risk for ages. by Kremmy · · Score: 1

    Why are major linux distributions relying on proprietary software after the whole BitKeeper fiasco anyway?

    1. Re:vBulletin has been a security risk for ages. by amicusNYCL · · Score: 2

      Why would they demand that everything they use costs nothing? Who cares if they pay for the source code for vBulletin to run on their server?

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    2. Re:vBulletin has been a security risk for ages. by Anonymous Coward · · Score: 2

      What does "proprietary" have to do with "costs nothing"?

    3. Re:vBulletin has been a security risk for ages. by Kremmy · · Score: 1

      "They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety."

      That's kind of the point.

    4. Re:vBulletin has been a security risk for ages. by amicusNYCL · · Score: 3, Informative

      That's what I'm wondering. You pay vBulletin, they give you the source code of their application to run on your server. You've got the code, so why does it matter that they paid for it?

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    5. Re:vBulletin has been a security risk for ages. by Anonymous Coward · · Score: 0

      That's what I'm wondering

      So why did you address your GP reply to the GGP, since nobody in this conversation sees any relation between the two questions?

  6. Ugh, not "a software" again by jabberw0k · · Score: 4, Funny

    vBulletin is a proprietary forum software.

    No, vBulletin is a software package, or a program, or even "vBulletin is software" -- but never "a software." You don't have "a hardware" or "an information" or "a clothing" -- you have a piece of hardware, a piece of information, a piece of clothing, and a piece of software. Grammar check, please.

    1. Re:Ugh, not "a software" again by Anonymous Coward · · Score: 1, Funny

      I have an information for you. It says a hardware may help you to by a clothing. But you'll need a software installed first.

    2. Re:Ugh, not "a software" again by GodfatherofSoul · · Score: 2

      So, YOU'RE the asshole TA from English comp who gave me that D...excuse me...gave me A D!

      --
      I swear to God...I swear to God! That is NOT how you treat your human!
    3. Re:Ugh, not "a software" again by Anonymous Coward · · Score: 0

      Don't forget a hot piece of ass.

  7. Pity it wasn't Ubuntu Forums (again) by johnsie · · Score: 1, Offtopic

    The mods on Ubuntu forums hand out refractions like there's no tomorrow. Anyone who has much as criticizes Unity or mentions the embeded sypware gets an immediate refraction.

    1. Re:Pity it wasn't Ubuntu Forums (again) by Anonymous Coward · · Score: 0

      "Infraction" is probably the word you were intending to use.

    2. Re:Pity it wasn't Ubuntu Forums (again) by Dcnjoe60 · · Score: 1

      The mods on Ubuntu forums hand out refractions like there's no tomorrow. Anyone who has much as criticizes Unity or mentions the embeded sypware gets an immediate refraction.

      If criticizing Ubuntu will get me a new tablet, sign me up! (Per wikipedia: " Refraction is essentially a surface phenomenon")

    3. Re:Pity it wasn't Ubuntu Forums (again) by Anonymous Coward · · Score: 0

      The mods on Ubuntu forums hand out refractions like there's no tomorrow.

      Hand out refractions?? Your comment makes no sense at all. Got a loose diode there, Watson?

  8. OMG That's Precious by stevegee58 · · Score: 1

    H4x0r HuSsY. You just can't make this stuff up.

    1. Re:OMG That's Precious by csumpi · · Score: 1

      He could improve it though, just by reversing the order:

      HuSsY H4x0r

      .

  9. OSS FTW by Anonymous Coward · · Score: 0

    I always choose an OSS product, even if it means I get less functionality. Another thing I've noticed of late is more and more developers I keep up with are moving towards the BSD license. Are you guys seeing this? This is happening in the US as well as the EU. It's an interesting trend.

  10. H4x0r HuSsY... you are a D-Wad... by Anonymous Coward · · Score: 0

    I know how to jimmy my neighbors windows open but that does not make it OK to do so. H4x0r HuSsY... you are a D-Wad...

  11. OpenSuSE by JohnVanVliet · · Score: 2, Informative

    as a long time OpenSuSE user the forum has beed a problem for a very long time
    Novel controls it
    NOT OPENSUSE !!!!!!

    and this has been a long standing problem for the site admins
    they really do not control it

    as in the VERY LONG STANDING issue of the code and font and css used for the forum topics
    one MUST turn off the min. size font used
    or use a 9 pt font

    that can ONLY be changed by Novel and NOT by the OpenSUSE forum

    --
    "I don't pitch OpenSUSE Linux to my friends, i let Microsoft do it for me
    1. Re:OpenSuSE by Anonymous Coward · · Score: 0

      It might help if you spelt the company name correctly. It's NOVELL, 2 L's...

  12. I need a h@cX#r name. by csumpi · · Score: 1

    I'm just worried it would take lots of extra time and effort to type something like H4x0r HuSsY multiple times a day.

  13. But how did these get indexed? by Anonymous Coward · · Score: 0

    Same thing to this one:
    https://www.google.com/search?q="You+have+registered+the+following+telephone+number+in+the+National+Do+Not+Call+Registry"

    How can Google index a page that is not linked anywhere?

  14. Shocking? by Dcnjoe60 · · Score: 4, Informative

    It's shocking to learn that SUSE/openSUSE are using proprietary forum software vBulleting as well as proprietary single sign on solution.

    While vBulletin isn't under GPL, it is pretty liberal. You get the source code, you can modify and compile the source code, you may not redistribute it or remove the copyright notices. So, technically while not open source, your real limitation is in being allowed to redistribute it (not removing copyright is part of GPL, too).

    1. Re:Shocking? by CastrTroy · · Score: 3

      Actually, If you're given the source, and allowed to modify the source, and run the modified source, then it is for all intents and purposes open source. Just because you have to pay to have access to that, doesn't mean it's not open source. If there's a problem, you are still able to fix the problem yourself, which is the main tenet of open source software.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    2. Re:Shocking? by Dcnjoe60 · · Score: 1

      Actually, If you're given the source, and allowed to modify the source, and run the modified source, then it is for all intents and purposes open source. Just because you have to pay to have access to that, doesn't mean it's not open source. If there's a problem, you are still able to fix the problem yourself, which is the main tenet of open source software.

      You aren't free to redistribute the source, which is keeping it from being classified as open source, but otherwise, I agree, from the user perspective, it has all of the benefits of open source.

    3. Re:Shocking? by Anonymous Coward · · Score: 0

      Access Manager was a Novell product, Novell purchased SuSE, NetIQ purchased Novell. Not so surprising to me.

    4. Re:Shocking? by Kalriath · · Score: 1

      Actually, I don't think redistribution rights are a requirement of Open Source, only of Free/Libre Software.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
    5. Re:Shocking? by Xtifr · · Score: 2

      Funny, because redistribution is listed as point one in the Open Source Definition.

    6. Re:Shocking? by Kalriath · · Score: 1

      Fair enough, it appears I'm wrong on that.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  15. Well... by Lirodon · · Score: 1

    vBulletin has pretty much become crap since Internet Brands bought it. Even IPB would be a bit more tolerable...

  16. Send in the Drones by Anonymous Coward · · Score: 0

    It is time the United States of America sends UAVs into Pakistan to wipe this H4x0r HuSsY off the planet. What? You were thinking the same thing when you realized this Paki must be a terrorist. "Die. Die. Die." as the Daleks say.

    1. Re:Send in the Drones by crutchy · · Score: 1

      Send in the Drones

      i read that and thought you were talking about democratic party voters

  17. 4.2.1 was old by mrspoonsi · · Score: 2

    It was patched to 4.2.2 in October, 4.2.1 had serious issues, even with 4.2.2 there have been 2 security announcements to remove vulnerable files (which are not needed to run the forum).

    1. Re:4.2.1 was old by Anonymous Coward · · Score: 0

      4.2.1 and 4.2.2 both had the same basic security issue.
      There was a hack available if the installation directory was left publicly accessible after install/upgrade.
      The fix: 1) delete it; or 2) protect it with .htaccess
      This is well known and the admin would have got an email.

      Both 4.2.1 and 4.2.2 latest releases are secure unless you have a faulty 3rd party add-on.

      The site admins should have contacted vB for support.
      FYI I am the admin for a 1m post / 20k member vB site.
      4.2.2 was a maintenance release supporting PHP 5.4

  18. PHP drrrp by Anonymous Coward · · Score: 1

    People need to stop using shit written in PHP,

    They got what they deserved, stupid bastards.

    1. Re:PHP drrrp by crutchy · · Score: 0

      could be worse... asp

  19. Again! Crap. Checking... Checking... by Anonymous Coward · · Score: 0

    Another website intrusion leaking the personal data that they insisted on before allowing me access. I'm about sick of this crap.

    Which of my email addresses did they get? Checking... Checking... Oh, yea. It was a throwaway.

  20. About NetIQ Access Manager by LDAPMAN · · Score: 1

    NetIQ Access Manager is rock solid and massively scalable. I support multiple systems that use it for over 30 million users. Nothing better for web access management.

    1. Re:About NetIQ Access Manager by MechanicJay · · Score: 1

      30 Million! My AM environment is serving barely 5K. I'd love to get some details on your infrastructure. How many IDPs and AGs are you running?

    2. Re:About NetIQ Access Manager by LDAPMAN · · Score: 1

      Please contact me directly at jcombs@pointbluetech.com and I'll answer any questions you might have. Running the 3.2+ version of the gateway on Linux we have been able to run over 30K concurrent sessions on a single node. We have gone to 50K in testing on some monster hardware.

  21. Access Manager by LDAPMAN · · Score: 1

    In this case it's even better. None of the user authentication data is on the NetIQ appliance. It's all stored on an LDAP server even further back behind additional firewalls.

  22. Hacked? No, they installed the latest cdrtools by Anonymous Coward · · Score: 0

    The forums were not hacked. They upgraded to latest OpenSuSE Factory, which includes cdrtools again.

    And guess what, this time the Anti-SuSE message in cdrtools really went big time.

  23. Really? by Anonymous Coward · · Score: 0

    I have a hard time believing that there's anyone in Pakistan that actually owns a computer, let alone knows how to find and run script-kiddie scripts. I mean that country seems full of people so mind-boggling stupid that it's a wonder they know how to eat, breathe and procreate. Yes, I know they allegedly have nuclear weapons but how can they have smart people in a place so full of seemingly retarded people living so deep in the dark ages that cavemen seems sophisticated in comparison. It boggles the mind.

    Okay, yes I guess there must be exceptions to the rule but while they may be smart in some ways, they're clearly not smart enough to get rid of all the stupid people grabbing the international headlines by doing something ridiculous on a daily basis.

    I'm sorry, but as long at you allow crazed-looking bearded toothless men waving Korans and AK47's yelling "Down with USA!" to fill the streets, you're just not going to get any respect whatsoever. And as long as these people hide internationally wanted terrorists, the US is going to hit them with drones and Hellfire missiles in order to do something about the menace they cause. I'm sure the US government is sorry about any collateral damage but when they're hiding behind women and children, someone else is bound to get hurt on the way. Unfortunately for their women and children they're all about yelling and posing but deep within they're just sad cowards that are not men enough to stand tall and fight fair, and thus they deserve what they get.

  24. don't care? by Anonymous Coward · · Score: 0

    Shitty Linux.. Novell and Canonical can blow my dog.

  25. Hahahaha!! by matbury · · Score: 1

    Used insecure proprietary software; got pwned. If the software has pretty GUIs and simple tools, that makes it nicer and easier for the hackers to pwn you.

    Best tool for the job? Not if its security sucks.

  26. Just cause you have the source don't make it free by taikedz · · Score: 1

    I know I'm late to the party, but I can't let this one slip :-). So, a bit of Free Software Philosophy 101 to serve up

    First off, Stallman's definitions of Software Freedoms:

    1. The freedom to run the program, for any purpose (freedom 0).
    2. The freedom to study how the program works, and change it so it does your computing as you wish (freedom 1). Access to the source code is a precondition for this.
    3. The freedom to redistribute copies so you can help your neighbor (freedom 2).
    4. The freedom to distribute copies of your modified versions to others (freedom 3). By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.

    Secondly the consequence: Nobody but vBulletin is allowed to patch the hole, from a legal standpoint, lacking freedom 1, and thus lacking freedoms 2 and 3. Legally, SUSE cannot modify/improve/patch the software - they can only purchase upgrades.

    I leave this here, you know, just in case.

    --
    -- "Simplicity is prerequisite for reliability." --Dijkstra
  27. Re:Just cause you have the source don't make it fr by amicusNYCL · · Score: 1

    I'm not sure what the license actually says, so I'm not sure if they expressly disallow people from making changes or not. Practically, they couldn't do that, if they are distributing the code then people are able to change it. It might not make sense to change it if you're just going to update at some point in the future, but it's a possibility.

    Anyway, the reason I kept posting things like that was because people kept referring to the software as "closed-source" or something like that, when it's not. The source is open, it's just not free. The major difference between vBulletin and any other open-source PHP project is the license, that's it. It's open-source software that isn't free (both kinds).

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black