Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Ubuntu Security

Ubuntu Forum Security Breach 108

pinkstuff writes "There has been a major security breach of the Ubuntu Forums database. Every user's email address and salted password has been taken. From the forum home page: Unfortunately the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database. The passwords are not stored in plain text, they are stored as salted hashes. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP. Ubuntu One, Launchpad and other Ubuntu/Canonical services are NOT affected by the breach."
This discussion has been archived. No new comments can be posted.

Ubuntu Forum Security Breach

Comments Filter:
  • by slimjim8094 ( 941042 ) on Wednesday July 24, 2013 @08:06PM (#44376469)

    Dupe of http://it.slashdot.org/story/13/07/21/0318243/ubuntuforumsorg-hacked [slashdot.org]

    Posting anon so no karma whoring

    • Weird, it showed the checkbox as checked for me...

      • Turns out you use the name slimjim8094 at ubuntuforums too. Maybe change your password. Now!
        • Yes it is.

          I have tiered passwords - one I use for a lot of stuff I don't care about, one I use for stuff I care about a little bit more (Slashdot is included ;) ) and unique passwords for anything "high-security" - work account, bank/anything else involving money, etc. I happened to use the "weak" password for ubuntuforums and - by definition - I don't really care if any other accounts are compromised. To put it in perspective, that's the password I use on sites that don't even hash their passwords, so the

          • You used a weak password for the ubuntu forums and a stronger one for slashdot? You're pretty weird, dude.

          • You place higher value on your /. account credentials than $insert_whatever_else_here? Speaking as someone who's on his third or fourth /. account (but the first one with my actual name), I must say ...

            Priorities [photobucket.com]. That is all.

          • by HJED ( 1304957 )
            BTW they have managed to decrypt the passwords, Simple Machines Forum just got hit as well because an admin used the same password on both sites.
    • slimjim8094: Failed. :P

  • During last days I have bumped to the "ubuntuforums.org is down for maintenance" message several times while googling some Linux stuff. I never realized before that I visit that site so often.
    • by Anonymous Coward

      During last days I have bumped to the "ubuntuforums.org is down for maintenance" message several times while googling some Linux stuff. I never realized before that I visit that site so often.

      The Gentoo and Arch Linux forums much more useful if you are an experienced, competent Linux user and ran into an oddball problem. Those users really, really know their stuff.

      Ubuntu forums are sadly full of noob types asking noob questions. Yes there is good info there but you'll have to wade through the "RTFM" type questions and sometimes your signal to noise ratio is very low. Of course if you actually ARE a newbie this is a plus and they are very good about steering you in the right direction in a

  • by Dwedit ( 232252 ) on Wednesday July 24, 2013 @08:37PM (#44376767) Homepage

    The hashes are salted. Who cares about a breach with salted hashes?

    • Re: (Score:2, Interesting)

      by TWX ( 665546 )
      That's what I'm wondering, given that's the whole point in using that method to store credentials in the first place...

      I also have to question the practicality of having different passwords for all one's accounts, especially on things as nonessential as forums. Between work and things that matter I already have to remember too many passwords.
      • Why would you have to remember them? Just use something like Password Safe [sourceforge.net] or KeePass [keepass.info] to remember your passwords for you. Not only do you not have to remember your passwords, but because you don't have to remember them, you can have much longer and more complex passwords.
        • by TWX ( 665546 )
          And how does that work across multiple different and different kinds of devices exactly?
          • And how does that work across multiple different and different kinds of devices exactly?

            KeePass is ported to many different device types. For syncing its database between devices, you could use whatever file syncing service you prefer.

    • Smart people?
    • by fluffy99 ( 870997 ) on Wednesday July 24, 2013 @08:44PM (#44376829)

      The hashes are salted. Who cares about a breach with salted hashes?

      If they aren't sure of the extent of the compromise, reading salted hashes (assuming they were) might only be part of the problem. Could be they were intercepting passwords on the fly.

    • by rgbrenner ( 317308 ) on Wednesday July 24, 2013 @08:50PM (#44376871)

      They use vBulletin.. the passwords are salted.. but it's just md5(salt+md5(password)). The salt is in the db, and it's just 2 md5 hashes -- NO stretching, PBKDF2, bcrypt, or anything else. It's literally one step up from plaintext. You can recover those passwords in very little time. You SHOULD assume the passwords are compromised.

      http://www.vbulletin.org/forum/showthread.php?t=178091 [vbulletin.org]

      • Indeed...

        Here is a 25 GPU cluster that can go after MD5 hashes. [arstechnica.com]

        The cluster can try 180 billion combinations per second against the widely used MD5 algorithm

        Realize that an 8 character password is only about 48 bits of entropy, so if you find a key that hashes to that 128-bit MD5 hash code then its almost certain that that is in fact the password and not just a random collision. I am appalled at the horrible password "protection" practice in use today. In the 1980's we knew better and didnt store the
      • It's literally one step up from plaintext. You can recover those passwords in very little time. You SHOULD assume the passwords are compromised.

        Really? Can you explain how this is done? My understanding is that MD5 is a one way hash function. I know of no real way to reverse an MD5 hash. I know there are MD5 databases that can do a reverse lookup, but they are only limited to dictionaries the common strings they contain. Surely that is only really useful if your password was something stupid like a dictionary word, or some lame leetified word like "l0ve". How do you reverse an MD5 hash if it is not?

        I am genuinely interested.

        • by Rockoon ( 1252108 ) on Wednesday July 24, 2013 @09:23PM (#44377147)

          How do you reverse an MD5 hash if it is not?

          You try all possible inputs at a rate of 180 billion combinations per second. [arstechnica.com]

          For an 8 character alphanumeric with a few symbols, thats about 48 bits of entropy, which equates to 1564 seconds (26 minutes) to try every single possible input. Since you used a 128-bit hash on 48 bits of entropy, the odds are very very very good that only one single input will result in the stored MD5 hash.

          Thus the attack knows precisely what the original password was in only 26 minutes, which fits the definition of "reversing" the hash in no more than 26 minutes.

          • You try all possible inputs at a rate of 180 billion combinations per second. [arstechnica.com] Thus the attack knows precisely what the original password was in only 26 minutes, which fits the definition of "reversing" the hash in no more than 26 minutes.

            Ok. That is fast. Still - there are two md5 hashes with a salt added - so it would likely take 52 minutes - although I think you could call that a distinction without a difference.

            • Ok. That is fast. Still - there are two md5 hashes with a salt added - so it would likely take 52 minutes - although I think you could call that a distinction without a difference.

              Dont forget that since the users account name isnt part of the salt (or so I presume, given the bad hashing practice already noted by others), then every accounts hash can be attacked simultaneously. Thats 26 or 52 minutes to crack the password of every single account.

              • the salt is random.. so each user's password would need to be cracked individually.

                that doesn't make it 52min though..

                You could speed this up by hashing the password you want to try, then hashing it with each user's salt. So instead of 2x hashes, you would have (# of users) + 1 md5 calcs for each password attempt.

                And the average time would be 1/2 of the max time.

                Also... most of those passwords are probably dictionary words.

                • the salt is random.. so each user's password would need to be cracked individually.

                  That isn't very comforting without knowing the hacker's intentions. For all we know, maybe your password was the only one they wanted.

            • "Still - there are two md5 hashes with a salt added "

              No, even that part was done improperly. Since they hashed the password, then added the salt, then hashed the result.. it's actually just (# of users) + 1 md5 hashes.

              1) hash password
              2) concat hash + salt
              3) hash result
              4) repeat 2 & 3 for each user

          • To expand further on this, it is a violation of CWE-257 [mitre.org] to store a much wider hash than the passwords entropy.

            "The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users."

            Storing a 128-bit hash of a typical password, due to their much lower entropy, is in fact storing it in a recoverable format.
            • I don't think that brute forcing to identify passwords is what's meant by "recoverable" here. Though, I suppose I'm with you in the idea that if it's easy enough it's virtually the same.

              I'm not getting what (other) significance you're assigning to the idea of passwords being much lower entropy than their hashes. Is there something about the relative entropies that matters, or are you just again pointing to the ease of brute forcing something like passwords (which are going to be, in practice, only a small

        • MD5 is just not computationally intensive by todays standards. You can easily calculate several BILLION MD5 hashes per second on a modern GPU. It's fast enough that you can simply bruteforce it.. you can rent an EC2 cluster for a few dollars if you don't want to spend the money on the GPUs.

          There's a reason why at a minimum stretching is used (this is when you hash a password + salt, then hash the hash typically a few 10000 times)... this is standard practice BTW if you're going to use hashes (or better, use

      • by lindi ( 634828 )

        Btw, the article you linked says it's actually md5(md5(password)+salt).

        • You're right.. the hash is appended to the password hash (not prepended). Carelessness on my part.. good catch.

    • by bmk67 ( 971394 )

      Would you prefer that they kept silent? I wouldn't. Personally, I prefer an appropriate amount of transparency to silence and bullshit.

      • by AHuxley ( 892839 )
        What is holding all the sites back from better password as mentioned the md5(salt+md5(password))?
        What do website admins think of "Here is a 25 GPU cluster that can go after MD5 hashes" arstechnica.com efforts?
        Power and CPU time per user is the expensive over many users over years with new encryption?
        Lack of easy software upgrades? ie would users have to re join as "new" encryption is added?
        Good encryption is expensive per site? Needs hardware upgrades or next gen cpu?
        • by bmk67 ( 971394 )

          What is holding all the sites back from better password as mentioned the md5(salt+md5(password))?

          What do website admins think of "Here is a 25 GPU cluster that can go after MD5 hashes" arstechnica.com efforts?

          Power and CPU time per user is the expensive over many users over years with new encryption?

          Not generally, no. While strong encryption is considered an expensive operation, for a typical system, authentication is something that is relatively rarely done and the computing expense is a tiny part of the overall.

          The trick is to make the hashing algorithm inexpensive enough that it isn't a burden on the authenticating system, but expensive enough that it's impractical to attack the hashes, now and a for a reasonable time going forward. As more computing power becomes available, that balance point sh

          • You don't even need a password change. You just store in the database what password verifier scheme was used (and a pair of MD5s with a salt of unknown size is a damn weak one) and then when the user logs in, you derive the password verifier using the scheme stored in the DB for their account. If it matches, then you log them in (of course) but you *also* computer a new password verifier using the new, better scheme - say, PBKDF2 with 50000 iterations - and then store that new verifier, and the new scheme y

    • by HJED ( 1304957 )
      Because apparently [simplemachines.org] the hacker's have managed to crack them.
  • Dupe.

    samzenpus, you fucking suck sometimes. Hope you're not getting paid for this.

  • by bloodhawk ( 813939 ) on Wednesday July 24, 2013 @08:55PM (#44376915)
    So has this happened yet again or just another Dupe?
  • by Camael ( 1048726 ) on Wednesday July 24, 2013 @11:02PM (#44377671)

    This will probably hurt their campaign to bring Ubuntu to mobile [engadget.com].

    Their kickstarter at Indiegogo [indiegogo.com] already seems to be slowing down.

    Not quite fair to link a forum breach to Ubuntu, but public perception is what matters.

  • Great.
    With their policy of needing to sign-in in order to download anything (script, picture, ...), I bet they have way more information than they needed to have.
    And this information is now compromised....

  • I hope the iterated with a sufficiently high count in addition. But as they do not say that, I am doubtful. Any competently done set-up would at the very least use PBKDF2 or scrypt with an iteration count > 100'000.

    Why do people keep getting this very basic stuff wrong?

  • It's not news, even for nerds, when it is reported a week after everybody else reported it.

((lambda (foo) (bar foo)) (baz))

Working...