Slashdot Mirror
Ubuntu Linux Forums Hacked -- IP Address, Username, Email of 2M Accounts Compromised (betanews.com)
Canonical announced on Friday that Ubuntu forums have been hacked. The company adds that data such as IP address, username, and email address of over two million users have been compromised. BetaNews reports: Keep in mind, this does not mean that the operating system has experienced a vulnerability or weakness. The only thing affected are the online forums that people use to discuss the OS. Still, such a hack is embarrassing as it happened due to Canonical's failure to install a patch.In a blog post, Jane Silber, Chief Executive Officer, Canonical said, "after some initial investigation, we were able to confirm there had been an exposure of data and shut down the Forums as a precautionary measure. Deeper investigation revealed that there was a known SQL injection vulnerability in the Forumrunner add-on in the Forums which had not yet been patched."
online forums software can be hard to update if any mods / plug in's are in use.
Love the metadata on the image they used in TFA.. "Hacker desk laptop hoodie hacking hooded". I guess a white dude with facial hair and a hoodie is automatically "hacking" if he has a laptop out.
Now, if you'll excuse me, I have backups to corrupt.
... those bastards.
On a related note, my lawyer wants to know what the terms, "ubuntu," and "linux," and "forum," mean.
Help here, please?
It little behooves the best of us to comment on the rest of us.
I read TFA and it seems like they had some good practices in place. True, there was some contiguous PII released that could be used, along with other data, to identify someone. That said, they didn't lose any passwords.
Good on them. Sure, getting hit sucks, but this could have been a lot worse.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
23/07/2013
Hello,
You are receiving this message because you have an account registered with this address on ubuntuforums.org.
The Ubuntu forums software was compromised by an external attacker. As a result, the attacker has gained access to read your username, email address and an encrypted copy of your password from the forum database.
If you have used this password and email address to authenticate at any other website, you are urged to reset the password on those accounts immediately as the attacker may be able to use the compromised personal information to access these other accounts. It is important to have a distinct password for different accounts.
The ubuntuforums.org website is currently offline and we are working to restore this service. Please take the time to change your ubuntuforums.org account password when service is restored.
We apologize for any inconvenience to the Ubuntu community, thank you for your understanding.
The Canonical Sysadmins.
The vulnerability was an SQL injection. The operating system had nothing to do with it.
I hope they were not able to link my domain http://hackme.houghi.org/ to my IP address, because that would mean I am extremely hackable.
Don't fight for your country, if your country does not fight for you.
Paul Thurrott, is that you?
They should have hosted this stuff on open source software - it's super secure
So cool a security I thought you would enjoy it!
They should have used SQL Server instead of MySQL.
It has nothing to do with that either.
It's to do with inputs not being sanitized AGAIN at a guess. wouldn't matter which SQL it was if the code was written by a crack addicted monkey with no concept of security (which apparently it was)
I log in using SSO. Has my account info been hacked too? If so, that's my main Google account :-(. Time to change some passwords, methinks.
Because informing people of what really happened would be just too burdensome.
Both the recent VerticalScope hack and this have one thing in common: vBulletin. It is a pile of junk, and especially since it was acquired by a firm known as Internet Brands. It is awful software, and a forum about an open source product which uses proprietary components is ethically unsound.
Yeah, if that level of granularity was used every time there was a security vulnerability related to software that runs on Windows then it might be relevant.
Not to mention the fact that Ubuntu isn't linux: It's a linux distribution that expressly provides an entire software stack, including the software that got hacked here.
AntiFA: An abbreviation for Anti First Amendment.
Looks like M$ is a contender in the race to the bottom.
Seriously though, management, through rehire/outsourcing methods, keeps pushing wages down. As the wages get lower the skills brought to the workplace are also going to suffer. This is basic COMMON SENSE. Though, lately, I am thinking I should call it UNcommon sense, as nobody seems to display it anymore.
16-7: Ubuntu Single Sign On Servers Hacked.
If only we had common uses of OpenID, compromising services would have essentially zero material benefit for the perpetrators...
Bye!
Microsoft and CIA (FBI/NSA) have to-and-fro deal.
Quick, make Linux look hackable too, our investors are pissed. Ok!
(Debian has FBI working on some of their teams too, expect same later there)
Well probably 1.9 million of those were spam accounts. Ever ran a forum?
Yeah, if that level of granularity was used every time there was a security vulnerability related to software that runs on Windows then it might be relevant.
Not to mention the fact that Ubuntu isn't linux: It's a linux distribution that expressly provides an entire software stack, including the software that got hacked here.
Don't be obtuse. "Linux" is most commonly used to refer to the complete server or desktop environment. When Linux fans are championing and encouraging people to switch their server or desktop to Linux they are referring to the entire environment not merely the kernel. Just as when Windows gets hacked and its something in the "software stack" and not the kernel itself, often something from a 3rd party not Microsoft. Matter of fact when the only "Linux" thing in an environment is the Linux kernel we tend not to call it "Linux" at all, for example Android. So don't start with this "Linux" only refers to the kernel nonsense, that is not how the word is used, and that includes within the Linux community.
They should have hosted this stuff on open source software - it's super secure
Yes, those two million users have four million eyeballs to verify the software with.
If they'd RUSTed the forum in RUST the hackers wouldn't have had any chance to RUST through the impenetrable security RUST offers. RUST!!
I guess you need these twits to expose the sloppy practices out there but it would be truly impressive if they could go after AT&T and others for using some of the *sshole collection agencies that spam our cell phone accounts with BS collection calls that don't relate to us. In other words, there are a lot of targets for a public service type of hacking out there. It must be more fun for them to be jerk off twits than to go after public nuisance targets.
Ubuntu is a systemd right? Like there's Windows, Mac, and Systemd computers? Can it also run Linux, maybe in some kind of VM?
The right sentiment, but not entirely true, actually. Some SQL injection bugs are only exploitable when a specific dialect of SQL is used under the hood. Some support query stacking (MSSQL), while others don't by default. Some allow for easy creation of files on the server's filesystem (MySQL), some don't. It's not exactly the norm, but also not uncommon for the behavior of a SQL dialect to mitigate a vulnerability. Not that one should rely on such behaviors for security, but it can assist. That's not to say this is a case where a different version of SQL would have helped, of course. I haven't looked at the details.
It does lead to confusion though. It doesn't take a lot of giggling to see that.
Yeah, if that level of granularity was used every time there was a security vulnerability related to software that runs on Windows then it might be relevant.
Not to mention the fact that Ubuntu isn't linux: It's a linux distribution that expressly provides an entire software stack, including the software that got hacked here.
SQL injections have nothing to do with the platform you're running them on. It's a result of sloppy programming. The same thing can happen on just about every OS and every SQL daemon.
You might have a point about Windows being unfairly maligned if it weren't for e.g. Internet Explorer being so thoroughly integrated into the OS that its vulnerabilities in the browser can be exploited even if the user doesn't use it.
Ah yes, here comes the Linux apologists trying to deflect any blame from Teh Liuxxxx!!!!!!
That's a fair point, since Microsoft's products are totally immune to SQL injection -- oh wait, no they're not, you knob.
Well, the operating system allowed the modification of key files. wooops.
Years later, we still deal with SQL injections when it was supposed to be "resolved" by now.
It does lead to confusion though. It doesn't take a lot of giggling to see that.
No, it leads to no confusion at all. People who understand what a kernel is understand the dual use of the word "linux" and easily figure it out from context. For those that don't know what a kernel is there is no problem there either since the context matches what everyone tells them, including the fanboys, that linux is a complete operating system that rivals Windows and Mac OSX.
But yeah, we do giggle at the fanboys who get all defensive when linux appears in a negative context.
Well, the operating system allowed the modification of key files. wooops.
And Mac OS X does not allow modifications of system files and thus proves once again that it is the superior *nix environment. :-)
Stop being weirdos. Nobody wants to create yet another account.
This is not the same forum as askubuntu.com?
You saw, or you were told?
It's funny when the person behind this comment is probably sitting on the toilet at work taking a shit laughing at his comment, and will go back to his desk and open a terminal or Linux virtual machine n keep working checking his anonymous comment.
Yeah. This ain't just the kernel getting a pass for semantic reasons. This is like saying that a bug in Photoshop is because Windoze is teh suck.
If you think sanitizing inputs protects against SQL injection, I have a bridge to sell you. You need to parameterize/prepare your inputs, which separates your commands from your data. If your inputs cannot change your commands, then all it well.
Nice link of how not to use MS SQL correctly. General rule of thumb, you can't fix stupid. They will always find a away to use tool incorrectly.
What's it like siding with lazy, ignorant people who misuse words?
The vulnerability was an SQL injection. The operating system had nothing to do with it.
I didn't read the article but the summary does not mention SQL injection. From the summary:
"... it happened due to Canonical's failure to install a patch."
What's it like siding with lazy, ignorant people who misuse words?
Yes, lazy ignorant people like Linus Torvalds who have been referring to the operating system as Linux since the early 1990s.