Wedge

Public area => Off-topic => The Pub => Other software => Topic started by: Aaron on July 23rd, 2013, 07:10 PM

Title: SM.org compromised
Post by: Aaron on July 23rd, 2013, 07:10 PM
Apparently the SM community site has been compromised(http://www.simplemachines.org/community/index.php?topic=508232.0)...
Title: Re: SM.org compromised
Post by: xrunner on July 23rd, 2013, 08:29 PM
I found out because I got a notice that a new topic was posted about it on this board here. I never got an email from them. I did go there and change my password.

What the Hell is going on out there? Last week I got a notice that the NASDAQ site was hacked. Then a few days ago I got an email from the Ubuntu forum that they were hacked. Now the SM forum is hacked. I'm starting to get worried about security like never before.
Title: Re: SM.org compromised
Post by: Dragooon on July 23rd, 2013, 08:42 PM
Yay for PMs being hacked, I have a lot of stuff in there. Although most of the stuff is kinda useless...so okay.
Title: Re: SM.org compromised
Post by: Kindred on July 23rd, 2013, 08:48 PM
Hackers should be locked up in general population....
Title: Re: SM.org compromised
Post by: agent47 on July 23rd, 2013, 08:50 PM
Just when things couldn't get any worse for SM.org....
Title: Re: SM.org compromised
Post by: TE on July 23rd, 2013, 08:53 PM
yep, so many hackers out there.. drupal.org has been hacked last month IIRC..
https://drupal.org/news/130529SecurityUpdate

Glad I deleted my account over at SM.org two weeks ago :whistle:
Title: Re: SM.org compromised
Post by: Nao on July 23rd, 2013, 11:38 PM
They should have used Wedge... It doesn't have the admin feature to download a DB backup... :niark:
Title: Re: SM.org compromised
Post by: live627 on July 24th, 2013, 12:29 AM
This is why Wedge doesn't allow file edits.
Title: Re: SM.org compromised
Post by: emanuele on July 24th, 2013, 12:33 AM
ehm...does it allow to upload a plugin with php code? ;)
Title: Re: SM.org compromised
Post by: live627 on July 24th, 2013, 05:34 AM
Yes. However, it connects through FTP. Nothing is ever uploaded directly with PHP.
Title: Re: SM.org compromised
Post by: Arantor on July 24th, 2013, 06:39 AM
Just to elaborate, the entire plugin architecture in Wedge is different to SMF, there is no code remaining from the old packman. Live is right about the plugin upload aspect - but I'll elaborate as to what we do and why.

When you upload a plugin to the admin panel as a zip file, some basic stuff is done to validate the package (looks for plugin-info.xml, quickly validates it) and if successful, it is moved out of the temporary folder into one of the Wedge folders where it can be dealt with.

What then happens is the admin is prompted for FTP details and then Wedge performs the upload of the package itself. More accurately, it opens the connection, creates all the folders via FTP then proceeds to upload the files via FTP too. The very important detail here is that at no point does the www-data/nobody/apache user ever actually own the files, because they are uploaded with the user's FTP details so all the files are then also owned by that FTP user, making all those files write-protected against by other users even on shared systems. This is the really neat part about this: since plugins never have to edit files (not that, generally, they could anyway), permissions never need to be escalated.

I should add, I actually tested this on a real shared server and was able to upload plugins without ever having to escalate permissions in any way whatsoever.

Yes, it would be possible to add a plugin which allowed downloads of the DB but it would have to be done by the admin with actual FTP credentials.

Just one last thing: this was not, at least not directly, a vulnerability of SMF. Information has been provided to me about a method by which the password forcing could have been expedited, a method which I was already aware of and has even been discussed on this forum, but it is not a vulnerability in the software as such (though it probably should be modified to mitigate this sort of circumstance). All in all this was a user account being forced, and as ever the users are the weakest part of the security chain.
Posted: July 24th, 2013, 06:37 AM

Also, as much as I didn't want to, I logged into sm.org to reset my password.
Title: Re: SM.org compromised
Post by: Arantor on July 24th, 2013, 07:03 AM
Also, we really need to add a method by which user passwords can be force-reset by the admin on a bulk level like this.
Title: Re: SM.org compromised
Post by: Pandos on July 24th, 2013, 08:46 AM
Quote from Dragooon on July 23rd, 2013, 08:42 PM
Yay for PMs being hacked, I have a lot of stuff in there. Although most of the stuff is kinda useless...so okay.
One reason more for encryption of PM's.
This was already discussed here:
http://wedge.org/bzz/6110/pm-encryption/
Title: Re: SM.org compromised
Post by: Arantor on July 24th, 2013, 08:58 AM
-sigh- You do realise that all you do is simply slow down an attacker rather than actually preventing anything? And the slowdown is trivial to beat, not lengthy...

The PMs must be in a form that can be decrypted by each user. Unless you create one duplicate for every recipient (as opposed to the current situation of one copy per PM and one entry for each recipient) which is separately encrypted which opens a massive glut of issues in terms of storage (it would render the announcements system basically useless), you have to keep them decryptable without complex systems. Which means it's basically a waste of effort because it can always be decrypted by anyone who gets the database.

:edit: Did you actually read the thread you linked? It would explain pretty much every reason why this is a bad idea.
Title: Re: SM.org compromised
Post by: Pandos on July 24th, 2013, 09:13 AM

Ouch ...
Hackers are one thing, but there is more:
Here in Germany a lot change the way privacy is handled.
An Administator I know was sued because he has read the PM's of users. Not really turned out well for him ...
So it would be a cool feature to deal with legal issues.


But I can understand your concerns about it. Technically impossible to implement ..
Title: Re: SM.org compromised
Post by: Arantor on July 24th, 2013, 09:28 AM
It is borderline to impossible to do it sanely, yes. You need to be able to keep the original content in an accessible fashion and whatever you do, the decryption key must by definition still in the database too... a hacker by definition can obtain all the content in the database to deal with it. Now, that doesn't rule out things like private/public key pairs but that does significantly ramp up the user usability issues, and that reduces their usability to only a few people; it would actually be easier just to remove the feature than worry about that because a feature that is so obtuse for users probably shouldn't exist; most people don't understand what private/public keys are, or why they would have to use them.

I don't really see how a site owner can be sued when he is legally responsible for all content on the site including private messages but the easiest way to solve that is to have a clause in the registration agreement that says the site owner has the ability to do so should it be necessary... users agree to it when they register. That said, investigating PMs without due cause is always tricky ground.
Title: Re: SM.org compromised
Post by: Pandos on July 24th, 2013, 09:46 AM
No, there's no way here in Germany to deal with it by adding a clause in registration agreement. This will be an infringement of privacy for which you can easily get punished by law.
The only way it is allowed to read PM's is that the user explicitly grant you access to it. This don't work globally!



There is a very good LAW-Podcast here ein Germany for all that are interested:
http://www.law-podcasting.de/darf-ein-foren-admin-die-privaten-nachrichten-der-user-lesen


So i think this will grow up to an serious problem in the near future.


Removing PM is not the way to go, because everyone loves PM :)
Title: Re: SM.org compromised
Post by: Pandos on July 24th, 2013, 10:14 AM
Found an interesting link:
http://www.vbulletin.org/forum/showthread.php?t=140064

Title: Re: SM.org compromised
Post by: Dragooon on July 24th, 2013, 11:00 AM
One thing that can probably work is having a separate password for PM acting as a private key, anything else is more or less slowing things down.
Title: Re: SM.org compromised
Post by: Arantor on July 24th, 2013, 05:40 PM
If you do that per user, you have to maintain copies for each PM/each user. And if you then change the password you have to rebuild the message (decrypt it with the old password, reencrypt it with the new one)

Doing it per message does the job but if they already get the database and get the encrypted data, boom, they already get all the keys too.

Regarding the legal status of PMs, I'm not being funny but that really isn't our problem. We cannot police what users do or don't do with our software. It is the user's responsibility to comply with their local laws. We don't give them anywhere that they can actually do it so they have to access the database. Now, if they do, that's up to them. The chances of *accidentally* seeing it in the database are so negligible it's not even worth contemplating (the only way it is possible is if you accidentally see it in the database backup SQL file... and we don't have a database backup feature)

The method described in that mod for vBulletin is one that has been discussed before and if you bothered to even read it properly it would tell you what it does and why it simply isn't suitable. All it does is encipher (not even encrypt) the content and since it's decodable trivially, it really is no better than leaving it unencoded in the first place. And if we add it to Wedge, the method by which this is handled will be entirely visible anyway... so all it actually prevents is admins who aren't entirely above board in the first place (who wouldn't actually install it)... in other words, for every use for which the plugin is designed, it's actually useless from a practical standpoint and constitutes security theatre.[1]

I realise this is important to you but I feel you're just not listening to the points I'm making.
 1. Something which by its existence and use leaves people believing they are more secure than they actually are. It is one thing to be insecure, it is something else to be insecure whilst believing you are secure. This is mostly the latter.
Title: Re: SM.org compromised
Post by: Pandos on July 24th, 2013, 06:43 PM
I can totally understand your point of view and I'm with you.



For me (and perhaps others) this would be a chance to be compliant with the (local) law.
Even if you don't do it, nevertheless there's a way to do you evil and to bring you in trouble.
Just a thought:
How can you prove that you don't do it if someone else accused you to do it? ;)



Title: Re: SM.org compromised
Post by: xrunner on July 25th, 2013, 12:18 AM
My bank uses some kind of extra check where if you log in from an "unknown" computer, it asks you verification questions. So even if your password is stolen it can't be used on another computer without knowing the answers to very specific personal security questions. It's too bad that technology isn't available to all, but it probably adds a lot of complexity.
Title: Re: SM.org compromised
Post by: Hristo on July 25th, 2013, 04:14 AM
@xrunner My bank used to require from us to download a certificate file and to install it in the browser. If you are using browser without certificate you can't login. But this method was deprecated, now they require digital sign. SMF's Login Security mod offers some additional protection - user defined IP range of which he/she can login.
Title: Re: SM.org compromised
Post by: Arantor on July 25th, 2013, 07:25 AM
Quote from Pandos on July 24th, 2013, 06:43 PM
For me (and perhaps others) this would be a chance to be compliant with the (local) law.
Even if you don't do it, nevertheless there's a way to do you evil and to bring you in trouble.
Just a thought:
How can you prove that you don't do it if someone else accused you to do it? ;)
You can't, of course. But however it is encrypted, it must be design be decryptable, and by consequence it must be accessible by the admin. All we're dancing around right now is how difficult it is for the admin to do that. Right now there's no block other than the knowledge simply to access the relevant part of the database. Enciphering or encoding elevates the bar but it just means someone will write a plugin to bypass it. Just because such a plugin is not permitted on sm.org does not mean it does not exist (in fact it was even written and published on sm.org for 1.0.x many moons ago), and a PM spy type mod will exist anyway. Ultimately this is still security theatre and if it ever comes up that someone has to defend it for Wedge, I will explain the issues with it from our point of view. There should not be an expectation of privacy beyond whatever the admin wants to give.
Quote from xrunner on July 25th, 2013, 12:18 AM
My bank uses some kind of extra check where if you log in from an "unknown" computer, it asks you verification questions. So even if your password is stolen it can't be used on another computer without knowing the answers to very specific personal security questions. It's too bad that technology isn't available to all, but it probably adds a lot of complexity.
That's sort of the point. How much security is too much security? There is also a world of difference between a typical forum and a typical bank. But it's possible to have a bank too secure to allow you to use it, which is not really that much use to you, and a feature that's too complicated to use is not really worth it.
Quote from Hristo on July 25th, 2013, 04:14 AM
@xrunner My bank used to require from us to download a certificate file and to install it in the browser. If you are using browser without certificate you can't login. But this method was deprecated, now they require digital sign. SMF's Login Security mod offers some additional protection - user defined IP range of which he/she can login.
It's interesting, sure. One thing I would note is that it would be possible to add these sorts of things to Wedge as a plugin. The Login Security mod is actually not as effective as it might sound, depending on how flexible your IP address is and it is entirely possible to lock yourself out of your admin panel and have to resort to DB edits to get back in... the problem then with us adding that is that we'll be the ones who have to help people who get into that situation and to be honest that's really not something I want to encourage.
Title: Re: SM.org compromised
Post by: Arantor on July 25th, 2013, 10:00 AM
Just to add, I posted this to the end of the debate where people are talking about making the hashes harder.
Quote
Much as I hate to get involved, someone who I owed a favour to asked me to comment.

Firstly, you're incorrect about some of your assertions. The salt you're referring to is not used to compute the password hash. The password in the database is stored as SHA1(strtolower(username) . password) and has been for a very long time in SMF. No extra table is required for this. Oh, and if you notice, it's not actually 'rolling their own'. It's following standard practice (take the password, add something that's account specific and hash that)... and in ANY case the salt would be useless if it were used because it's RIGHT THERE IN THE TABLE. It's only any use if it's otherwise an unknown, but since it's not an unknown element, because it's right there in the table, it doesn't really help any since you already have to construct a rainbow table for every account in the first place.

Secondly, not all hosts are currently using 5.3.7 and up. There are still some very major hosts running 5.2 and in fact some hosts still offering 4.4 hosting for the time being, even though 5.3 itself is officially maintenance only now, and most of SMF's typical demographic applies to those because they're the budget end of the market. So that's not really something SMF can implement in a realistic fashion, but I guess reality of lots of support requests (and there are already multiple requests per day related to one really poor free host and their limitations, but hey, let's add a crap ton more!) is irrelevant.

Thirdly, I don't believe you understand what it means by 'decrypting the password'. It is mathematically impossible to actually decrypt the password hashed by a digest hash like SHA1. What you do is find something that when combined with the username and then hashed will give you the same hash as what you're looking for... that means potentially multiple passwords will actually work because you're not looking to find the original, you're merely looking for a collision. You may want to search for multiple collisions for this very reason.

Fourthly, it is well researched and documented that most people suck at choosing passwords. A 2011 study (whose link I can't immediately find) found that 'password' was still by far the most common password, followed by '123456' and direct variations of that. Breaking into systems can be done with that fairly easily.

Incidentally, pushing everything to bcrypt may not be the smartest idea in the world. If everything is pushed to bcrypt and a *single* vulnerability is found, suddenly a lot more targets are actually located. Having everything in a slightly different form does at least have some benefits with respect to lowering the immediate attack vector options. There is a little comfort - but very certainly not a lot - from security through obscurity, but it is no substitute by any means for real security.

Thing to note: the system is only ever as strong as the people who hold the keys to it. It is often significantly easier to leverage a weakness in a person rather than in the technology under them, as was done here, to leverage the access to perform queries on the database. Once the database is compromised, best security practice is to assume it is *always completely compromised* even if the data is encrypted with the strongest possible methods, because you never know what resources the intruder has to break that.

Consider: this attack was to force an admin's account. If there was no way to run arbitrary code through some fashion with an admin's account or to pull a database backup of some kind, there would be less risk. In fact, if there is no method by which to run arbitrary code or pull a database backup without server access directly, you need to do more than brute force that account, and proceed to brute force a server account. If someone's already gotten into the server itself, assume everything is compromised anyway because by definition it is.

The whole thing about hashes is only an issue if someone gets into the server or otherwise can obtain raw access to the tables and right now there are ways by which an admin can do just that, either by splicing code into template files, or by uploading a package. Stronger controls need to be added to these to prevent arbitrary code being able to be run with just an admin's account, for example enforcing upload via FTP of plugins (as other software does), as well as limiting the ability to run arbitrary code from the admin panel by removing the ability to edit files from said admin panel and enforcing use of either hosting control panel or FTP download/local editing.

I see where you're going but honestly you're picking on one of the stronger links in the chain. There are far, far many more issues to consider... like how on a number of shared hosting setups it is actually possible for your setup to be hijacked as soon as you install a mod. Or how in a number of shared hosting setups it's possible for your entire database to be compromised and with you not being able to do *anything* about it whatsoever. But of course these are minor considerations when compared to worrying about what will happen when a hacker gets in... I'd personally prefer to keep them out in the first place where possible, rather than tightening up what happens when they already have. (Not that you shouldn't ALSO do that, but in terms of priority, it's really a secondary consideration. Don't worry about locking up the family silver if the front door is already unlocked.)
You'll note that at least some of those things I talk about are already done in Wedge ;) There is no backup facility and plugins have to be uploaded via FTP (even if Wedge does it for you, it's still doing it via FTP and inheriting permissions while doing so, there's no point where files are made writable)

On this matter, I can make the case for upgrading to bcrypt just as I can (and did) make the case against it. I'm not averse to upgrading the password security at all, and I do believe the benefits outweigh the cons here, but there are more changes to the architecture that I want to make to support this. I don't want to discuss my changes at this time because I don't believe it is relevant to this discussion and I'd really rather not divert this discussion too far.
Title: Re: SM.org compromised
Post by: nend on July 26th, 2013, 11:03 PM
I noticed the post at SMF shared on my FB. Seems like I have been away for far too long. However the attitude is still the same.

You would think they would of had the database dump and package manager disabled. But SMF can do no wrong and everything is OK how it is. According to them this is not the way they got the information, I don't know of any other way at this time.

Idea to mind why not create fake admin accounts with fake stats and anybody that tries to log into it ban them for a while.
Title: Re: SM.org compromised
Post by: Auk on July 27th, 2013, 02:02 AM
@nend, why would they need fake admin accounts? I read about security practice of this, known as "honey pot" IIRC. While there are some benefits, I do not like the idea of having traps set up for would-be hackers. IMO, in a way, it's like a false sense of security. If anything, the would-be hackers will learn what happened and figure your game, then to try something else.
Title: Re: SM.org compromised
Post by: Arantor on July 28th, 2013, 03:02 AM
I know more of the story but cannot reveal details without breaking certain confidences.

What I will say, though, is that the DB backup on a database that size is useless and the package manager was not the method by which the database contents were exploited. The method by which arbitrary PHP code was run is a method I've long known about and suggested as a possible vector on more than one occasion, and it is a feature in the admin panel that I have thought should have been revoked by now. Wedge hasn't because there are still a number of questions around that particular feature.
Title: Re: SM.org compromised
Post by: live627 on July 28th, 2013, 03:45 AM
Quote
I know more of the story but cannot reveal details without breaking certain confidences.
And I think I can guess it.
Title: Re: SM.org compromised
Post by: Arantor on July 28th, 2013, 03:47 AM
I should hope so :P
Title: Re: SM.org compromised
Post by: Kindred on August 2nd, 2013, 02:59 AM
well, there isn't much that we haven't already discussed openly.

With the exception of the name of the vector/admin - I don't think there is anything really surprising about how the hacker did what he did (once he got into the admin account)
Title: Re: SM.org compromised
Post by: Arantor on August 2nd, 2013, 03:39 AM
I honestly don't care about who the admin is. I haven't revealed the exact thing that was used inside the admin panel though it is fairly obvious.

One question I will put though: the area in question does allow for arbitrary PHP code. However, the vulnerability is only present if files are writable by PHP. I would *love* to hear a credible argument for leaving the files writable by PHP.
Title: Re: SM.org compromised
Post by: Road Rash Jr. on August 4th, 2013, 04:25 AM
Well I can't say I'm surprised by this as security vulnerabilities have been reported by many over the years. Years ago there seemed to be a taboo placed on anyone who reported these breaches which is why I have not logged in there for over a year.
Title: Re: SM.org compromised
Post by: Arantor on August 4th, 2013, 04:41 AM
I'm sorry, which part of 'this was not a security vulnerability' were you having trouble understanding?

It has actually been mentioned how this was exploited on sm.org: someone uploaded a theme with extra files in it, one of which had nasty code in it. There are other routes to doing something similar - namely the theme editing functionality - but the point stands: this was a compromised account by way of an admin being on another site with the same password and the password compromised there.

The real question I would level at the SM people at this point is why basic security practices were not carried out with respect to files not being made read-only after modifications were carried out. But that's still not a security issue in the software, that's a fault of the underlying operating system configuration and a lack of knowledge and understanding from the people who organise such things. I understand there is some confusion as to what must remain writable for standard functionality.

There are, to the best of my knowledge, no vulnerabilities that have been reported and not been investigated. That is not to say that all reports were valid, or that all reports had an exploit that actually needed immediately patching; the most recent vulnerability, for example, actively requires an admin account to actually exploit it. If you already have an admin account, the potential for mischief - as seen - is already demonstrable and thus while there is a bug to fix, it is not really a legitimate vulnerability if it already requires all the keys to the kingdom to be able to exploit it in the first place.

If you can provide a report that you believe has not been taken seriously, please do contact me and I will investigate and take whatever action needs to be taken (including providing patches to SMF if necessary, it's not like we've never discussed vulnerabilities with them before now). I am well aware such claims have been made - but like every time this has been raised, we always ask for reports or indeed anything to back up this bluster and nothing is ever forthcoming. Provide me with something to work on and I'll look at it. Provide me with bluster and the only thing I can conclude is that you're just trolling and shit-stirring.

In any case, haven't you since been banned from sm.org?
Title: Re: SM.org compromised
Post by: Road Rash Jr. on August 4th, 2013, 05:12 AM
Quote
In any case, haven't you since been banned from sm.org?
I wouldn't know, I haven't logged on there in over a year.

As for security breaches reported by my dad they appear to have been addressed in these releases
Quote
SMF 2.0.4 and 1.1.18 security patches have been released. on February 01, 2013, 05:27:00 PM Critical security patches have been released, addressing few vulnerabilities in SMF 2.0.x and SMF 1.1.x. We urge all administrators to upgrade as soon as possible. Just visit the package manager to install the patch. SMF 2.0.3, 1.1.17 and 1.0.23 security patches have been released. on December 16, 2012, 11:41:05 PM Security patches have been released, addressing a vulnerability in SMF 2.0.x, SMF 1.1.x and SMF 1.0.x. We urge all administrators to upgrade as soon as possible. Just visit the package manager to install the patch.
Title: Re: SM.org compromised
Post by: Road Rash Jr. on August 4th, 2013, 05:52 AM
I just talked with Dad and he confirms his access is being blocked with this error message
Quote
Simple Machines Community Forum



 An Error Has Occurred!


Sorry Guest, you are banned from using this forum!
Account suspended by user request
This ban is not set to expire.
Curious since he hasn't been on there in years either let alone make any requests.
Title: Re: SM.org compromised
Post by: Arantor on August 4th, 2013, 07:38 AM
I call BS.

Firstly, he was adamant that they were not fixed in those patches when they arrived.

Secondly, and this is the real BS kicker, either you're lying now about speaking to your father or you've been lying in the past on the various occasions you said your father had passed away, most recently in http://www.simplemachines.org/community/index.php?topic=508045.msg3579546#msg3579546 but in various threads and comments, including here, prior to that. Which is it?

More than one person has suggested to me that you're a troll and specifically that you're using that as an excuse to cover up some deeper issue. If your father has passed away, I'm sorry for your loss but you can't use him as a strawman to cover up for your own issues.

If you want to keep railing about how bad SMF is, please go somewhere else. I would rather you do so willingly rather than making you go, but I have no problem with making you go away if you can't comply reasonably. I doubt there is anything meaningful you could add at this point because you've given me fairly good proof that you're just talking BS now.
Quote
Through dangers untold and hardships unnumbered, I have fought my way here to the castle beyond the Goblin City to take back the child that you have stolen, for my will is as strong as yours, and my kingdom as great — You have no power over me.
Title: Re: SM.org compromised
Post by: Road Rash Jr. on August 4th, 2013, 02:45 PM
Arantor I have no wish to carry on this discussion with you here because it is obvious to me someone has been feeding you a line of BS and it isn't me.
Dad is alive and well thank you and I have never posted anywhere, here or on SMF that he was dead. Heaven forbid that is just morbid. I've never posted here either that he was dead so again you have me mistaken for someone else.
I have not logged into the SMF forum nor have I posted anything there. Neither has Dad. SO I have no idea what you are talking about and have no way to validate your link or what it says.
But the facts and truth is, we have not logged into or posted anything on the SMF forum in over a year.
I've just checked my past posts on here and can find nothing of what you speak of so I'm at a loose as to what you are referring to.
This is my last post here over a year ago http://wedge.org/pub/smf/7996/my-review-of-customer-service-on-smf/msg288899/#msg288899 and my next post was this one http://wedge.org/pub/smf/8221/sm-org-compromised/msg290840/#msg290840

Arantor I have no animosity towards you or this project and have never spoken unkindly about either.
Neither do I have any animosity towards the SMF project.
Title: Re: SM.org compromised
Post by: Road Rash Jr. on August 4th, 2013, 03:26 PM
As an added thought, if you prefer to discuss me or my Dad further, it should probably be done by email. So if you want send me an email and we'll try to clarify any misunderstanding that way rather than detract  from the original topic.
Title: Re: SM.org compromised
Post by: Arantor on August 4th, 2013, 06:55 PM
That's funny, the post I linked was from YOUR ACCOUNT. The closing line of the post I linked to:
Quote
That is pretty insensitive of you. Dad past away over a year ago.
And
Quote
But the facts and truth is, we have not logged into or posted anything on the SMF forum in over a year.
That's funny, because I see posts from your account last month on sm.org.
Quote
This is my last post here over a year ago
Yes, because May 12, 2013 is more than one year ago.
Quote
As an added thought, if you prefer to discuss me or my Dad further, it should probably be done by email. So if you want send me an email and we'll try to clarify any misunderstanding that way rather than detract  from the original topic.
The only misunderstanding is how stupid you think the rest of us are. Are you seriously going to claim that your account was hijacked and someone's been using it to spread nonsense? That would be funny since the writing style hasn't changed in the entire time I've seen your posts.
Title: Re: SM.org compromised
Post by: Arantor on August 4th, 2013, 07:01 PM
OK, so here's the point I don't get. If the account was 'compromised' and someone else took it over, changing the password should have fixed that entirely. It seems funny that that never happened.
Title: Re: SM.org compromised
Post by: markham on August 4th, 2013, 07:06 PM
Quote from Arantor on August 4th, 2013, 06:55 PM
Quote
This is my last post here over a year ago
Yes, because May 12, 2013 is more than one year ago.
So you are the new Doctor Who and posting from the future! :eheh:(Sorry, Pete, I couldn't resist!)

Title: Re: SM.org compromised
Post by: Kindred on August 4th, 2013, 09:53 PM
rotflmfao...


OOPS.... caught out.

1- http://www.simplemachines.org/community/index.php?action=profile;u=204928
Last Active:    July 20, 2013, 01:30:42 PM
(also, the IPs used to access this account have not varied)

2- yup... as Arantor says, you've been consistently telling us how terrible the team is because we wouldn't believe that your dad was dead.

3- Nope... 2.0.4 did not patch anything that "your father" reported... Do you know why? Because he complained and moaned, but never ONCE gave anyone on the SMF team and actual security report with any evidence of a vulnerability except for his continual claim that "it is there, I just can;t tell you where"

4- Interesting that, if your account was compromised, all of the posts continued to use the exact same posting style and complaints that both you and "your father" use...

5- ...  well, I'll just call BS at this point.\







Arantor,  to get back to the actual point.  Yeah, we all agree that there was a slip up there as well.  Sleepy has actually just rejoined the site team with some ideas about doing something about that and some ideas on adding a double layer security protocol for the admin, if not for anything else.

While this was not a vulnerability in SMF itself, we all admit that we have some egg on our faces...   our only consolation is that we're not the only ones in this boat.
Title: Re: SM.org compromised
Post by: Arantor on August 4th, 2013, 09:59 PM
Nice summary, Kindred, covers everything that's been going on ;)

Yeah, the whole writable-files thing is an issue and it's been an issue since forever. Part of the reason I guess I'm more hardline about it is because I deliberately spent time making that a non-issue in Wedge; every step in Wedge's plugin chain is about not having files be modified, specifically to ensure permissions never get elevated. But the price, of course, is flexibility, and I've not exactly lost sleep over that decision.

I'm interesting in the concept of a double layer security protocol, essentially forcing admin access to be either IP bound (or at least white listed) and/or two-factor authentication. Unfortunately it's not something we can easily adopt as standard beyond IP whitelisting for the obvious reason that both SMF and Wedge typically get deployed on shared hosts and shared hosts typically are the lowest hanging fruit.
Title: Re: SM.org compromised
Post by: runic on August 5th, 2013, 06:25 AM
im quite interested in the double layer system as well should be an interesting system, from my own aspect I am quite impressed in the speed that we managed to get everything out from first being made aware to site being sorted was 30 - 45 mins.  Took longer to get the message out as we wanted all the information we could, and there is alot of log files to go through as you can imagine.  Liroy did amazing to get every thing sorted,  specially considering I woke him up from a good sleep.  And he spent countless hours with little sleep going through the logs.

Dont get me wrong was massive embarrassment, such a noob mistake for any admin or site, but we have learnt lesson, have taken steps to prevent it and as you read quite large ones, admins have came to an agreement in changing passwords on regular basis, and I believe a policy will be getting put forward by the BoD, what that covers we shall see :)
Title: Re: SM.org compromised
Post by: Arantor on August 5th, 2013, 07:47 AM
Yeah, the turnaround was pretty good - far better than most I've otherwise been involved in (usually on the clean-up side, sigh)

Changing passwords on a regular basis is not necessarily a good plan. It prompts people picking easier-to-remember passwords.
Title: Re: SM.org compromised
Post by: Kindred on August 5th, 2013, 01:41 PM
yeah, I keep reminding people of that as well.
password1
password2
password3
Title: Re: SM.org compromised
Post by: runic on August 5th, 2013, 01:49 PM
I agree but frequency of changing is also important consideration, changing every few months yes, but changing it every year well thats better.
Title: Re: SM.org compromised
Post by: Arantor on August 7th, 2013, 03:49 AM
1. Road Rash Jr. has been post and PM banned. I have not fully banned him from the site should he wish to continue reading and so on but he cannot reply to posts nor send messages. I have had enough of his claims and I believe a lot of what he says to be fabrication at this point. The game ends here.

2. Kindred has the issue exactly correct with respect to password changing. I still believe that changing them even yearly isn't necessarily ideal, however I can see the logic of this.

3. I also believe it would be wise for both SMF and Wedge (and anyone else, for that matter) to adopt a system whereby a user's password can be expired and prompting a user to change it. Of course this does nothing for users who don't log in any more, perhaps something else needs to be considered for that situation.
Title: Re: SM.org compromised
Post by: Auk on August 7th, 2013, 04:08 AM
Quote
2. Kindred has the issue exactly correct with respect to password changing. I still believe that changing them even yearly isn't necessarily ideal, however I can see the logic of this.
I agree, because it's a bit much for me to think of something that I can remember. Running out of materials here that are unique and easy to remember, as well as being convenient.
Quote
3. I also believe it would be wise for both SMF and Wedge (and anyone else, for that matter) to adopt a system whereby a user's password can be expired and prompting a user to change it. Of course this does nothing for users who don't log in any more, perhaps something else needs to be considered for that situation.
Would the passwords be changed automatically and then an email is sent? Or would the user who wishes to login will just use their password, and then get a notification (along with email) prompting them to change password?
Title: Re: SM.org compromised
Post by: Arantor on August 7th, 2013, 04:10 AM
I don't know how the password changing would work.

For the basic case of forcing a user's password to change is easy enough: flag it as expired and force the user to change password when they next sign in.

The problem is if a user hasn't changed it in a period of time (e.g. a week after it was force-expired), it needs to be changed automatically but there are security issues with that, e.g. if the user's email is outdated, but also emailing a new password out is inherently insecure too. There's not really a truly great way to solve that aspect.
Title: Re: SM.org compromised
Post by: markham on August 7th, 2013, 09:38 AM
Quote from Arantor on August 7th, 2013, 04:10 AM
The problem is if a user hasn't changed it in a period of time (e.g. a week after it was force-expired), it needs to be changed automatically but there are security issues with that, e.g. if the user's email is outdated, but also emailing a new password out is inherently insecure too. There's not really a truly great way to solve that aspect.
Can it not be automatically and silently changed to some random series of characters (without sending out any notifications)? Should that user attempt to log-on in future, he will have to go through the "lost password" routine.
Title: Re: SM.org compromised
Post by: kimikelku on August 7th, 2013, 10:54 AM
At school i have a similar system like that, we have to change our password every 2 weeks, this is a website were we send our works and exams, if we dont login in 2 weeks, and happens quite often since we dont have exams our works to send every 2 weeks, we dont need to change our password, but if we do, the first time we login after we change the password 2 weeks later weneed to change it again, plus we have to use a password  with at least 20 caracters, thats why i use a program called keypass, i can generate diferent and strong passwords, save them and reduce the risk of happening the same that happen to that sm,org admin.
Another way but i think it can get a little anoying is the system that steampowered.com uses with user accounts, asks for a small code when we change computer or ip address.
Title: Re: SM.org compromised
Post by: Norodo on August 7th, 2013, 12:30 PM
Quote from markham on August 7th, 2013, 09:38 AM
Quote from Arantor on August 7th, 2013, 04:10 AM
The problem is if a user hasn't changed it in a period of time (e.g. a week after it was force-expired), it needs to be changed automatically but there are security issues with that, e.g. if the user's email is outdated, but also emailing a new password out is inherently insecure too. There's not really a truly great way to solve that aspect.
Can it not be automatically and silently changed to some random series of characters (without sending out any notifications)? Should that user attempt to log-on in future, he will have to go through the "lost password" routine.
I'd be pissed off if I had to do that. Talk about unintuitive.

No I did not forget my password, you changed it!

EDIT: In addition, passwords that change without notification are usually a sign you have malware. That's not something I'd like to be led to believe in vain.
Title: Re: SM.org compromised
Post by: Arantor on August 7th, 2013, 06:01 PM
Yup, passwords that change without notification are usually indeed a sign that something bad has happened. Malware? Maybe. What it does show is that your account has almost certainly been tampered with but not necessarily via malware - there are other ways for your account to be tampered with.

It's tough because I don't want to create a situation where a user is locked out of an account with no way back in, which is very possible in this situation.
Title: Re: SM.org compromised
Post by: Norodo on August 7th, 2013, 07:05 PM
Quote from Arantor on August 7th, 2013, 06:01 PM
Yup, passwords that change without notification are usually indeed a sign that something bad has happened. Malware? Maybe. What it does show is that your account has almost certainly been tampered with but not necessarily via malware - there are other ways for your account to be tampered with.
Well obviously someone might have been looking over my shoulder or hacked into my WLAN or there might be some rogue admin but I think it's far more probable some kind of bullshit program.

The reason I thought that exact way right now was because this just happened to me. Microsoft Security Essentials does apparently NOT cover your ass sufficiently. <_<

After a ton of safe mode and other tricks I finally gave up, installed NOD32, and I am now a happy camper again. My online passwords are far safer too!
Title: Re: SM.org compromised
Post by: Arantor on August 7th, 2013, 07:34 PM
Quote
Well obviously someone might have been looking over my shoulder or hacked into my WLAN or there might be some rogue admin but I think it's far more probable some kind of bullshit program.
Or the server was hacked into. Or someone brute forced your password. There are many exciting and interesting ways that this stuff can happen.

But yeah, anything that changes without good reason is a sign that something is up.
Title: Re: SM.org compromised
Post by: Norodo on August 7th, 2013, 07:42 PM
Brute forcing my password without a hash or anything should be fairly impossible, but yes, of course you're right. I'm just telling you the reason I went straight for the "malicious software" idea.
Title: Re: SM.org compromised
Post by: xrunner on August 13th, 2013, 02:41 AM
I hate passwords. >:(

Or passcodes or passphrases or whatever the f**k. Certainly most of them these days aren't passwords like platypus or pineapple. Those days are long gone.

Anymore you are required to add capitals and numbers and special characters - oh and not more than 2 capitals and 3 specials characters and blah blah blah ... not to mention that different sites have different requirements so your special neato passthing with 3 numbers and 4 capitals won't be accepted as a passthing on other sites. Can we all get along?

I can't even remember all the passthings I have now, I have a special spreadsheet with them all listed.

Oh yes, and the spreadsheet itself has a password. :heck:

Why can't it be simpler?

Over to the Super Brains that hang out here.
Title: Re: SM.org compromised
Post by: nolsilang on August 13th, 2013, 08:44 AM
@xrunner : I suggest to use KeePass or LastPass to manage your passwords, they have a password generator that can be automatically applied  and saved when you create an account. You just need to remember your master password, try to make it very long passphrases[1]. Well the caveat is when your master password is known/breached then it's... not good.
 1. Relevant xkcd : http://xkcd.com/936/
Title: Re: SM.org compromised
Post by: live627 on August 13th, 2013, 11:11 AM
Quote
1.    Relevant xkcd : http://xkcd.com/936/
Touché
Title: Re: SM.org compromised
Post by: KaBo0M! on August 15th, 2013, 03:50 AM
Quote
1.    Relevant xkcd : http://xkcd.com/936/
Try that method for multiple sites though. When you have log ins for over 200 sites then it gets harder than that. I like to use a password manager. Is that as smart as I think it is? It encrypts it and plus any sites I forgot about it remembers the url's and passes.
Title: Re: SM.org compromised
Post by: Arantor on August 15th, 2013, 03:58 AM
Using a password manager is only as secure as the password manager itself is. Having a single point of failure is not entirely smart.

However what I'd generally suggest is having the general sites being managed through such a system and then keeping only the really important ones managed in your head (e.g. banking)
Title: Re: SM.org compromised
Post by: MultiformeIngegno on August 17th, 2013, 10:37 AM
I trust this password manager. :-)
http://www.passpack.com/
Title: Re: SM.org compromised
Post by: live627 on August 17th, 2013, 11:14 AM
Quote from MultiformeIngegno on August 17th, 2013, 10:37 AM
I trust this password manager. :-)
http://www.passpack.com/
I would not trust them. I'm paranoid, okay?
Title: Re: SM.org compromised
Post by: MultiformeIngegno on August 19th, 2013, 11:10 PM
If you're okay being paranoid why shouldn't I be okay with that? :)
Title: Re: SM.org compromised
Post by: Arantor on August 19th, 2013, 11:17 PM
Yes because I love trusting my passwords on servers I don't control. Other than the site whose password it is, obviously.
Title: Re: SM.org compromised
Post by: live627 on August 20th, 2013, 08:25 AM
Quote from MultiformeIngegno on August 19th, 2013, 11:10 PM
If you're okay being paranoid why shouldn't I be okay with that? :)
3rd party yadda yadda yadda

Analogy: I put security cameras in your house and you'll trust me to not share what I find. Trust goes out the window.
Title: Re: SM.org compromised
Post by: MultiformeIngegno on August 20th, 2013, 06:38 PM
Quote from MultiformeIngegno on August 19th, 2013, 11:10 PM
If you're okay being paranoid why shouldn't I be okay with that? :)
You said 'okay?', and I was just saying I'm okay with you being paranoid :P