Amiga.org
Amiga News and Community Announcements => Amiga News and Community Announcements => Amiga.org site announcements => Topic started by: Karlos on January 14, 2012, 01:23:25 AM
-
Dear all,
Several accounts here have been compromised in recent days. We have no evidence at this time to suspect that the server itself has been compromised. So far the issue appears to be one brought about through the use of weak passwords used across multiple forums as all of the known compromised accounts have been misused on other forums already.
With that in mind, please change your passwords for this and every other amiga forum you visit, making sure each one is unique and as strong as possible (use mixed case, numbers and symbols where you can, the longer the better).
We apologise for any inconvenience.
-
Done. I just hope I don't loose the paper I wrote it on, I've no chance of actually remembering it. XD
-
Hypothesis: Wasn't one of the reasons Wayne moved away from Xoops the presence of some significant security holes? Maybe the AW.net server is the weak point. Is anyone in touch with the admins over there?
Fortunately, the only other place I'm registered is Morphzone, and my password there is so convoluted that even I can't remember it!
Just did a passwd Matt_H, nonetheless.
-
Done. I just hope I don't loose the paper I wrote it on, I've no chance of actually remembering it. XD
I hope its not 'hunter2' :)
-
Web security is fun. After reaching a total of 40-some passwords of my own I had to memorize, on top of customer passwords, I let Firefox save my passwords. In and of itself this is not secure, but I also encrypt my profile so obtaining the files without my private key is useless. Then each website uses a different password generated by apg, which creates NIST standard pronounceable passwords of whatever parameters you want, like 32 characters with special symbols and numbers, etc.
Default config (with -t to show pronunciations) creates something like this:
CrobOkus (Crob-Ok-us)
lidMuenn (lid-Muenn)
ciQuegsId9 (ci-Quegs-Id-NINE)
ubcorak$ (ub-cor-ak-DOLLAR_SIGN)
athGhakfum (ath-Ghak-fum)
dodMiuv[ (dod-Mi-uv-LEFT_BRACKET)
Or more complex, 32 character passwords which must contain capitals, lower-case, numbers, and special characters:
TafApJekAdd$ocealavwycsodbekcor9 (Taf-Ap-Jek-Add-DOLLAR_SIGN-oc-eal-av-wycs-od-bek-cor-NINE)
ucQuipsurrakbuzopp4ovVajDinchaj# (uc-Quips-urr-ak-buz-opp-FOUR-ov-Vaj-Dinch-aj-CROSSHATCH)
ScijyotNoimyatyeydPoodEwon1cylf& (Scij-yot-Noim-yat-yeyd-Pood-Ew-on-ONE-cylf-AMPERSAND)
~Ozvaujkent8OzdiCoiljevpanwogLoi (TILDE-Oz-vauj-kent-EIGHT-Oz-di-Coilj-ev-pan-wog-Loi)
TydTeogvalegHywridik/odJatovjan5 (Tyd-Te-og-val-eg-Hy-wrid-ik-SLASH-od-Jat-ov-jan-FIVE)
uskingAg3KigByldEegEdReejOckcur< (usk-ing-Ag-THREE-Kig-Byld-Eeg-Ed-Reej-Ock-cur-LESS_THAN)
I love this utility. If I forget a password (yeah, I'm not remembering 32 character passwords, for the most part,) or Firefox's save password is defeated (it happens,) then I just go through the process to create a new one. (And I didn't use any of the above here hehehe)
-
Who is trying to hack Amiga sites anyway? Atari ST users?
-
Who is trying to hack Amiga sites anyway? Atari ST users?
The Atari SF354 is the greatest, most useful and most reliable drive on the planet!
I also love the fact it requires it's own external power supply. So kewl!
-
Thanks for the heads up, Karlos. Changed mine.
Anyone looking for a quick and easy complex PW generator, try:
https://www.grc.com/passwords.htm
-
I hope its not 'hunter2' :)
Oh, you mean *******, hey that's odd, when I type it I just get stars. :/
-
Thanks for the heads up, Karlos. Changed mine.
Anyone looking for a quick and easy complex PW generator, try:
https://www.grc.com/passwords.htm
Yes, I use similar website to generate my passwords.
Just changed mine on this and other forums, just to be safe and of course they are different across forums.
-
Hypothesis: Wasn't one of the reasons Wayne moved away from Xoops the presence of some significant security holes? Maybe the AW.net server is the weak point. Is anyone in touch with the admins over there?
Fortunately, the only other place I'm registered is Morphzone, and my password there is so convoluted that even I can't remember it!
Just did a passwd Matt_H, nonetheless.
The obsolete part it the cms, the xoops is old and obsoleted, and will be replaced, it takes time though.
The OS the site runs on, was changed when aw.net moved to a new ISP, and is up to date.
Quoting Karlos regarding where the passwords come from:
"We have no evidence at this time to suspect that the server itself has been compromised. "
Same goes at aw.net, Sibbi has not found anything strange in the logs this far.
-
Thanx Karlos
-
Oh, you mean *******, hey that's odd, when I type it I just get stars. :/
:lol:
For those not following, see: http://bash.org/?244321 (http://bash.org/?244321)
-
Hypothesis: Wasn't one of the reasons Wayne moved away from Xoops the presence of some significant security holes?
There were a number of issues. The version of XOOPS that this site used previously (which I believe was even more obsolete than the install at AW) had weak hashing for passwords. However, the main impetus for moving to vB was that the hosting provider was set to remove all support for older PHP versions and associated libraries as part of a managed update to 5 (again, for security reasons). The version of XOOPS that was installed, which was extremely outdated by then proved to be incompatible (bits worked, other bits didn't, basically a classic legacy PHP4 style application struggling with changes to the Zend engine since PHP5) with the updates.
The decision to move to vB was down to a choice between an updated version of XOOPS that would work after the update but be problematic for all the old amiga browsers, or some other platform. The only reason the site stuck with it's ancient version XOOPS for so long in the first place was for classic amiga browser compatibility (that and the fact that there was no upgrade path for most of the installed modules, either). With that consideration being out of the window regardless, alternatives were evaluated and vB was chosen as it scored better on a number of critical areas, including security.
Maybe the AW.net server is the weak point. Is anyone in touch with the admins over there?
Yes, we're in touch and cooperating on the problem.
Fortunately, the only other place I'm registered is Morphzone, and my password there is so convoluted that even I can't remember it!
Just did a passwd Matt_H, nonetheless.
That's for the best. No matter how strongly we salt and hash your password, if it is the same as you use on half a dozen other sites and one of those is the weak link, there's not a lot we can do other than reset it for you.
So once again folks, change your passwords if you haven't already and under no circumstances use the same password on more than one forum!
-
thank God its not Doomy, or this would have turned into amiga2000.org ! :D
-
All joking aside, this is a very serious issue.
The individual responsible has a tendency to change the email address associated with the account such that any attempts by the legitimate owner to request a new password will be in vain. Consequently, accounts that have been compromised will have their passwords and email addresses totally reset. The legitimate owners of any such account will have to contact us directly to have their email address restored. After which, they will be able to request a new password via the regular mechanism.
We are still investigating the possibility that this site was compromised directly though I so far nothing untoward has been spotted.
-
My EAB account is gone, so I have changed them all so far.
I must point out that EAB's VB version is pretty out dated, so maybe it started their.
-
I was on Amiga.org then went to write an email then pressed the back button and got this:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webmaster@amiga.org (webmaster@amiga.org) and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache mod_qos/9.69 mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.amiga.org (http://www.amiga.org) Port 80
-
That could be down to load. I've just been recursively checksumming all the files on the site against their last known state. It's an expensive operation.
-
:lol:
For those not following, see: http://bash.org/?244321 (http://bash.org/?244321)
Very funny, thanks :)
-
We are still investigating the possibility that this site was compromised directly though I so far nothing untoward has been spotted.
Maybe it was an inside job! Cue the melodramatic music and unusual zoom-in effects! :lol:
-
No I don't think so, seeing my EAB account is hacked and not here and also not on Amibay, I guess it started their.
Maybe it was an inside job! Cue the melodramatic music and unusual zoom-in effects! :lol:
-
No I don't think so, seeing my EAB account is hacked and not here and also not on Amibay, I guess it started their.
Recently? And with similar wording?
#6
-
Yep, AmiNeo is also hacked, he can't get in either, post count is also on n/a, just like me.
Recently? And with similar wording?
#6
-
Thank you Karlos.
Done.
Who the hell attacks Amiga sites?
-
Who is trying to hack Amiga sites anyway? Atari ST users?
No, unfortunately this is most likely one of our own homegrown nutcases.
-
You might want to turn on your log functions, although it gives quite a load, this would show anything suspicious.
All joking aside, this is a very serious issue.
We are still investigating the possibility that this site was compromised directly though I so far nothing untoward has been spotted.
-
I hope a.org doesn't store the password hashes unsalted? Reasonably salted hashes are next to impossible to crack (reverse).
-
I hope a.org doesn't store the password hashes unsalted? Reasonably salted hashes are next to impossible to crack (reverse).
We're using a salted hashing algorithm for passwords.
-
VB doesn't anyway, they are salted MD5, unless your not up to date with patches that have security issues.
I hope a.org doesn't store the password hashes unsalted? Reasonably salted hashes are next to impossible to crack (reverse).
-
(http://forum.michagens.de/images/smilies/yep.gif)
-
The Atari SF354 is the greatest, most useful and most reliable drive on the planet!
I also love the fact it requires it's own external power supply. So kewl!
Looks like someone hacked into my account and posted this drivel. As if *I* would ever say such a thing. :laughing:
(admins... just kidding - no one hacked into my account. took a proactive stance and changed my password from ataristblowschunks just in case - LOL!)
-
Reasonably salted hashes are next to impossible to crack (reverse).
Unfortunately this is no longer true. Salting is an affective defense against rainbow tables, but there are new tricks in the bag: a single graphics card can try several billion vBulletin salted passwords per second and you can have several cards in a single machine.
In general salting is almost pointless if the attacker can obtain the salts (and typically they do, they're in the same table as the password hashes). Salts of course do raise the amount of work required for cracking but the GPU grunt has leveled the field again.
The solution is to use multi-round hashing of the password + salt.
-
Unfortunately this is no longer true. Salting is an affective defense against rainbow tables, but there are new tricks in the bag: a single graphics card can try several billion vBulletin salted passwords per second and you can have several cards in a single machine.
In general salting is almost pointless if the attacker can obtain the salts (and typically they do, they're in the same table as the password hashes). Salts of course do raise the amount of work required for cracking but the GPU grunt has leveled the field again.
The solution is to use multi-round hashing of the password + salt.
I've written such a system previously, using a minimal 12 byte (all non-zero values allowed) random salt. The salt is merged into the password and the result hashed repeatedly with one of a number of supported hash functions (bcrypt is nice and slow as a proper alternative that does this stuff already). The salt and variable (up to 65535) iteration count is then encoded into the resulting hash rather than being stored separately. Depending on the settings applied, hashing takes up to 2 seconds on my PC.
It might be an option for this place if the worst comes to the worst, but I'd be reluctant to deploy it unless it was reimplemented in C and deployed as a compiled php extension such that the code is kept away from casual inspection.
-
Unfortunately this is no longer true. Salting is an affective defense against rainbow tables, but there are new tricks in the bag: a single graphics card can try several billion vBulletin salted passwords per second and you can have several cards in a single machine.
In general salting is almost pointless if the attacker can obtain the salts (and typically they do, they're in the same table as the password hashes). Salts of course do raise the amount of work required for cracking but the GPU grunt has leveled the field again.
The solution is to use multi-round hashing of the password + salt.
Bah, what happened to the traditional Amiga "Security Through Obscurity" approach?
Is it obsoleted now? :D
/more serious mode
Yes, regarding the GPU as you wrote, seems the current trend with GPU used for processing might even make passwords as identification obsolete.
-
Yes my best friend has atrai st nice machine got some cool features too
-
Pass the Salt!
-
Pass the Salt!
ITYM "salt the pass" :)
-
Done it............
-
ITYM "salt the pass" :)
:roflmao: