Ubuntu Forums hacked. Should we be concerned?

N

noeyx

Hi. As some of you might know by now, the Ubuntu Forums has been hacked recently. Their software is vBulletin which is the same as FreeBSD's. I just would like to know if the FreeBSD forums are secure enough to avoid the same fate. Thanks in advance and more power. �e
 
Not that I don't have any faith in the powers that be, let this be very clear, but you should never consider a forum to be "safe"; not even this one.

Always make sure that you're not using a password which you've been using all over the place (I heavily rely on PWGen for Windows to come up with unique password for websites), and also double check that you're not providing information which should never make it out in the open.

Honestly; with modern browsers which can save your passwords and the massive amount of password vaults (programs to store a password collection) there really is hardly a need to use one password to 'rule them all' (perhaps apart from securing your password collection itself).

If you take these steps then you'll always be able to minimize the risk, even if something nasty does happen.
 
Yeah, just use some password safe like Password Gorilla or KeePass, let it generate a password for you and never use it on multiple sites/machines.
 
I have a password scheme where I use an impossible to guess "hard" password that I can still remember well as a common prefix and I then concatenate a few letters at the end to identify the site I'm using the password on. This makes it impossible for hackers to use the hash of my password on any other sites even if my passwords are different by just couple of letters.

This works if the hash function is "collision resistant".

Let's say my common password is "epPXSBSy" (random junk from https://www.grc.com/passwords.htm, not my actual password :P ). I then use a password "epPXSBSyFBF" on these forums. The SHA256 hash value of this password is:

Code: 
720e57ce6d743bb8438234776ee4728bd9d4b77bf0952e3630d27d074194baeb

Let's assume that this hash gets leaked to hackers. Note that I have no idea what hash function is actually used for the passwords on these forums, this is just an example. There's also what is called "salt" involved but I've left that out.

I have used a similar password on for example Debian Linux forums, "epPXSBSyDLF". The SHA256 hash of this password is:

Code: 
1f541e81bd0d59c6fc65536764552140ecc88cf56bfe0abba70434fdf2d543dc

Notice how different the hash is even if only three letters changed.

If the hash function is collision resistant, it should be impossible (computationally infeasible is the term often used) to find out this SHA256 hash of the password I use on Debian Linux forums using only the hash of my password from these forums that was leaked to hackers.

In reality this is the case because SHA256 is still considered collision resistant.

My scheme is also nice in way that it is also impossible for the hackers to gain any advantage from knowing the scheme I use. All they are left with is brute force attack against the hash function and trying to find a collision and that is as noted practically impossible if the hash function is good enough like SHA256.
 
we believe the root cause of the breach has been identified.
Click to expand...
How nice of them to share that information. Depending on the root cause we may or may not have any issues. For all we know they got in by using a SSH brute-force.
 
ShelLuser said:
Not that I don't have any faith in the powers that be, let this be very clear, but you should never consider a forum to be "safe"; not even this one.
Click to expand...

Pretty much. Always assume that any credentials you use online are compromised. Even if the forum/site HAS NOT been hacked, do you know/trust the admin staff? Do you trust the programmer of the forum software?

Never use the same username and password on multiple sites!

Yes, it's a pain in the butt. No, you won't be able to remember all those passwords, especially if they are properly secure fully random 16-32+ characters in length.

This is why we have password managers now.
 
throAU said:
Pretty much. Always assume that any credentials you use online are compromised. Even if the forum/site HAS NOT been hacked, do you know/trust the admin staff? Do you trust the programmer of the forum software?

Never use the same username and password on multiple sites!

Yes, it's a pain in the butt. No, you won't be able to remember all those passwords, especially if they are properly secure fully random 16-32+ characters in length.

This is why we have password managers now.
Click to expand...

Very true, especially these days when you have many people running sites, who no one really knows anything about and you never know what they are doing behind closed doors or what they might be planning to do.
 
There is a real easy solution to this. Don't put out there, anything that would cause any devastation if lost.

My passwords are not complex. They are unique, but not unique enough for the higher standards of security. Most of my on-line identity, is labeled under the same user name. It would cost me very little, if that identity was hacked. There is only one source of monetary quality, to be gained by a very successful attack on me. It is a debit card, connected to no other accounts. It will deny any transaction, higher than the most recently known stable balance. The card has a low minimal balance. I only put more than the minimal balance on the card, when purchasing something on-line. Otherwise the card only maintains the minimal balance. I do not fear an attack on my on-line persona, just because I can afford to lose all that is attached to that persona. A very powerful intruder might be able to acquire, at best the personal information that the card provider may have on record about me. At that point they are putting enough effort into it, that my on-line identity needn't be hacked to render me vulnerable to their skills.

A hacked account would cause a possible end of h3z for me, and a few dollars. I can get a different card from a different bank. I can also create a new user name.

I can't say that I am extremely safe. But, you are asking for it, if you make available on-line that which is important to you.

I'm not saying that adding complexity to your login, is a bad idea. But, its a better idea, in addition to limit the damage possible.

I understand that many people are connected to their employer, through the same device that is used for non-work related affairs. Its a bad Idea to mix work with pleasure. In cases like this, it might be wise to at least use a different browser for the two different instances of use. Better yet, one could isolate the different instances on the the same machine by dual booting operating systems, or running virtual machines. These ideas might be for the more paranoid, who are probably already taking greater on-line precautions.

Yes, the use of multiple complex passwords is important. However, unless required, don't put anything on the line that you mustn't.
 
When it comes to strong password topic, I always liked this picture:

password_strength.png
 
Yeah, there's a good point to that. Contrary to the common perception, it is very hard to guess or brute force crack passwords that are made of multiple common (and easy to remember) words concatenated. So called dictionary attacks only work when the password is just one word straight out a dictionary. Combining two words already creates a big problem for the potential cracker because he then has to try a cartesian product of the words in a dictionary concatenated. Add a third word and it goes way beyond what can be done with a computer. Add a fourth word just in case there's a break trough in quantum computing in next few years.
 
If you can use a passphrase instead of a password. A passphrase contains multiple words. And a short sentence should be easy to remember. Unfortunately sometimes you can't enter more characters and even if you did it would get chopped.
 
kpa said:
This looks like a good online password strength tester:

http://rumkin.com/tools/password/passchk.php

I ran a test with three common words concatenated with few numbers in between the words, the password would be very easy to remember. This page told me that there's about 150 bits of entropy in the password and it's most likely an overkill.
Click to expand...

I didn't try with any of my already existing passwords, but I tried with a new one created by the same means. It's a pass-phrase which I find easy to remember; And here are the stats:
Code: 
Length: 41
Strength: Very Strong - More often than not, this level of security is overkill.
Entropy: 262.4 bits
Charset Size: 213 characters

Good to know. :)
 
There is also the option of having a keyboard with a different language layout from what one considers normal.

  1. Attach keyboard.
  2. Change keyboard locale.
  3. Type in username and password.
  4. Return keyboard locale to normal and start posting.

Using this method along with other methods would be more secure.
 
kpa said:
This looks like a good online password strength tester:

http://rumkin.com/tools/password/passchk.php
Click to expand...

Yop, that's why my favorite passwords were:

i like to see you naked:)
#include <stdio.h>
fun @ my house

I still use passwords in this fashion. I did however encounter lots of trouble with the last one on Solaris servers as many of them used @ as a kill control character. So each time I tried to login my session got killed.
 
matoatlantis said:
When it comes to strong password topic, I always liked this picture:

password_strength.png
Click to expand...

Doesn't get around the different password for every credential issue, and isn't as difficult to break as the author makes out :D


edit:
Also, the comic explicitly says stolen hashes are not something the average user needs to worry about. Which given the various hacks we've seen in recent years is VERY MUCH something to worry about. I'd even say stolen hashes are somethng to be more concerned about than remote login attempts, as logs and account lockout will typically trip those up relatively quickly.

If the hashes are stolen? All bets are off. They can be cracked off-line and then used to log in (possibly to an entirely different site if the user has re-used credentials) without generating any login failure.
 
matoatlantis said:
I did however encounter lots of trouble with the last one on Solaris servers as many of them used @ as a kill control character. So each time I tried to login my session got killed.
Click to expand...
Just out of curiosity; do you happen to know what version those servers used?

Because I'm aware that @ is a kill control character, but mainly determined by the SysV specification. Sun Solaris also used ^U as a substitute.
 
ShelLuser said:
Just out of curiosity; do you happen to know what version those servers used?

Because I'm aware that @ is a kill control character, but mainly determined by the SysV specification. Sun Solaris also used ^U as a substitute.
Click to expand...

If I have to bet on it I'd say it was 9, but I'm not 100% sure - it was ~4 years ago. Majority of the systems I work with are HP-UX, but there was a setup where several Solaris servers were in the environment too.

But it might have been a non-standard setup to begin with. Nowadays I don't see this issue on any system I work with.
 
What format is the author talking about? For passwords that can have one of 52 letters (lower and upper case), 10 digits and, say, 8 symbols for each character, the number of possible passwords of length 11 is 70^11. 2^67 ~= 70^11, so there are about 67 bits of entropy.

Two points:
  1. I don't know much about this; I just read the Enropy (Information Theory) Wikipedia page
  2. It's a comic.
 
You must log in or register to reply here.
Back
Top