phpBB2Refugees.com Logo
Not affiliated with or endorsed by the phpBB Group

Register •  Login 

Continue the legacy...

Welcome to all phpBB2 Refugees!Wave Smilie

This site is intended to continue support for the legacy 2.x line of the phpBB2 bulletin board package. If you are a fan of phpBB2, please, by all means register, post, and help us out by offering your suggestions. We are primarily a community and support network. Our secondary goal is to provide a phpBB2 MOD Author and Styles area.

The end

Goto page Previous  1, 2, 3, 4  Next
 
Search this topic... | Search phpBB2 Discussion... | Search Box
Register or Login to Post    Index » phpBB2 Discussion  Previous TopicPrint TopicNext Topic
Author Message
~Cowboy~
Board Member



Joined: 08 Dec 2008

Posts: 297
Location: Chicago


flag
PostPosted: Wed Feb 11, 2009 8:43 pm 
Post subject: Re: The end

One thing has nothing to do with the other. This incident has nothing to do with phpbb at all.

This is a phplist exploit that some script kiddie read about on a hacker blog and took advantage of before the patch was out.

_________________
Image link
We are not refugees we are trail blazers. icon_wink.gif
Back to top
Sylver Cheetah 53
Board Member



Joined: 17 Dec 2008

Posts: 426
Location: Milky Way


flag
PostPosted: Wed Feb 11, 2009 8:48 pm 
Post subject: Re: The end

Look, Cowboy. icon_sad.gif
Marshalrusty wrote:
As you may already be aware from the message on phpBB.com or the topic in the #phpBB channel on Freenode, we have recently been attacked via a vulnerability in an outdated PHPList installation. It is important to stress that no vulnerabilities have been found in the phpBB software itself.

We took area51.phpBB.com down along with phpBB.com to ensure integrity and prevent further damage. While we actively work to bring phpBB.com back online, we would also like to inform you of the damage that has been done.

The attacker gained entry through the PHPList application and was able to dump a complete backup of the emails on file. He then used the same exploit to access the phpBB.com database. Both the email list from PHPlist and a copy of the phpBB.com users table were then posted publicly.


phpBB3 uses a complex hashing algorithm in order to prevent someone from determining the plaintext value of a password. phpBB2, however, used a much simpler and less secure md5 algorithm to store passwords. This is one of the many reasons why we have decided to no longer support the phpBB2 software. Because hashes cannot be reversed, phpBB3 is set to convert phpBB2 hashes to the new phpBB3 standard during the first user login. Those users who registered while phpBB.com used phpBB2 and did not login on the new phpBB3 board continue to have their password hashes stored in the old format. Passwords stored in the old format are much less secure than those stored in the new format. The attackers have been focusing purely on the passwords stored in the old format.

If the password to your phpBB.com account is used anywhere else (especially with the same username), we strongly recommend that you change it. Using the same password across multiple sites is not security wise and should not be done under any circumstance. Additionally, you should change your password on phpBB.com, when it becomes available.

We apologise that we allowed this to happen by not patching vulnerable software in time. This demonstrates how critically important it is to always make sure that you keep up to date with any software that is running on your machine. At this time, the team is working around the clock to restore phpBB.com and other resources.

Thank you,

- The phpBB Teams

_________________
Image link
My Forum || My Blog

phpBB2 forever! icon_smile.gif
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Wed Feb 11, 2009 8:49 pm 
Post subject: Re: The end

Also the old passwords are going to be rehashed in 3.0.5: http://code.phpbb.com/repositories/revision/5/9312
_________________
Moof! Email me: dog_cow@macgui.com
Inside Allerton Park ē Lincoln's Tomb, Oak Ridge Cemetery, Springfield IL ē Mac 512K Blog
Back to top
drathbun
Board Member



Joined: 24 Jul 2008

Posts: 653
Location: Texas


flag
PostPosted: Wed Feb 11, 2009 9:07 pm 
Post subject: Re: The end

Here are the facts:

1. phpbb.com was not hacked on Feb 1. It was hacked weeks earlier, via an exploit in phplist as has been stated. There is nothing significant about the fact that phpbb.com got hacked on the same date they froze the phpbb2 forums.

2. phpbb.com used phplist because it's very good at what it does, sending massive amounts of email. As anyone can see (from topics even on this site) that phpbb's mass email system is functional for smaller boards, but not for larger boards like phpbb.com. Thus, they selected a tool dedicated for the job.

3. The password hashing algorithm used in phpbb2 is good (md5) but it is old. There is no way to mathematically reverse the hash, but there are a number of ways to attack the hash. Thus the hacker, once he got access to the phpbb.com database, was able to easily determine what certain hashed passwords were. Care to guess what one of the most common passwords was? "password" icon_smile.gif The hashing algorithm used in phpBB3 is much stronger and it is salted, which makes it much MUCH less vulnerable to the types of attacks used on a simple md5 hash. In my opinion, the comments about phpBB2 being weaker in this aspect are absolutely correct. If the entire board were still running phpbb2, then every single password would be at risk. As it is, the passwords that were revealed were weaker passwords stored in the original phpbb2 hash because those folks had never logged in since the conversion.

_________________
phpBBDoctor Blog
Back to top
roadhog
Board Member



Joined: 19 Nov 2008

Posts: 95
Location: Central Texas


flag
PostPosted: Wed Feb 11, 2009 9:51 pm 
Post subject: Re: The end

cherokee red wrote:
Quote:
So, do we need to add this line of code to our admin/index.php file, (as suggested by phplist.com), or does that change have to be made on the server?

You only need to do that if you have phpList installed. If you don't, you don't need to do anything.


Thanks cherokee red. I appreciate the clarification.
Back to top
~Cowboy~
Board Member



Joined: 08 Dec 2008

Posts: 297
Location: Chicago


flag
PostPosted: Wed Feb 11, 2009 9:52 pm 
Post subject: Re: The end

drathbun wrote:
3. The password hashing algorithm used in phpbb2 is good (md5) but it is old. There is no way to mathematically reverse the hash, but there are a number of ways to attack the hash. Thus the hacker, once he got access to the phpbb.com database, was able to easily determine what certain hashed passwords were. Care to guess what one of the most common passwords was? "password" icon_smile.gif The hashing algorithm used in phpBB3 is much stronger and it is salted, which makes it much MUCH less vulnerable to the types of attacks used on a simple md5 hash. In my opinion, the comments about phpBB2 being weaker in this aspect are absolutely correct. If the entire board were still running phpbb2, then every single password would be at risk. As it is, the passwords that were revealed were weaker passwords stored in the original phpbb2 hash because those folks had never logged in since the conversion.
I agree with that statement, but the fact is... if the phplist exploit was not there, then the phpbb2 database would not have been at risk because they would not have gained access to it in the first place right?

So although the phpbb3 password protection is a more secure way to do it .. phpbb2's MD5 is fine for most boards as long as your supporting software is secure and does not allow access to the database in the first place.

_________________
Image link
We are not refugees we are trail blazers. icon_wink.gif
Back to top
drathbun
Board Member



Joined: 24 Jul 2008

Posts: 653
Location: Texas


flag
PostPosted: Wed Feb 11, 2009 10:15 pm 
Post subject: Re: The end

~Cowboy~ wrote:
So although the phpbb3 password protection is a more secure way to do it .. phpbb2's MD5 is fine for most boards as long as your supporting software is secure and does not allow access to the database in the first place.

And if you have used a "strong" password you're relatively safe as well. Dictionary words are a big no-no. Mixed up characters / numbers / symbols / different case letters and so on will certainly make it less likely that your password will be easily determined.

But the salting process / alternate hashing algorithm used by phpBB3 is certainly much stronger.

_________________
phpBBDoctor Blog
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 538
Location: North West UK


flag
PostPosted: Wed Feb 11, 2009 10:29 pm 
Post subject: Re: The end

drathbun wrote:
But the salting process / alternate hashing algorithm used by phpBB3 is certainly much stronger.


Did you say that you were going to look at a mod to convert phpBB2 to use that same salting of the hash?

Jim
Back to top
Highway of Life
Board Member



Joined: 19 Nov 2008

Posts: 3
Location: 127.0.0.1


flag
PostPosted: Wed Feb 11, 2009 11:20 pm 
Post subject: Re: The end

It wonít matter quite as much what kind of hash you use as long as users use passwords that they should be using... i.e. johnny is not a good password, but 6Sbs55GxwxXI16A+7*JMX=0xZ is a good password.
The more security is at stake on the system you are logging into, the more important it is for you to use a stronger password. For the mailing list, many people used "throw away" passwords such as: '123456', it didnít matter what password they used because it was to something completely insignificant. Hack my account, so what? you can change my subscription settings or unsubscribe me, it doesnít matter.
We actually discussed this in-depth on STG: Protect your site with real passwords.

Your online bank account, online credit card accounts, PayPal, eBay, cPanel, SSH Server access, FTP accounts, etc... those must ALL be very strong 6Sbs55GxwxXI16A+7*JMX=0xZ type of passwords. Secondly, you should NEVER use the same password on multiple websites, that's just asking for trouble. Even if you use a password as strong as 6Sbs55GxwxXI16A+7*JMX=0xZ, but you use it on 10 websites, if a hacker determines the password on one of those sites, the other 9 are going to be vulnerable to them using that password to login.

So what makes a strong password?

  1. 20 or more characters (preferably 25 or more). The more, the stronger and better.
  2. MiXEd cAsE letters.
  3. Gobbledegook (i.e. non-dictionary words) 'YlkwAhfWAhKl' is good, 'ihaveanicepassword' is bad.
  4. Numbers and symbols (~!@#$%^&*) mixed into the password will make it much stronger.


So how do you remember such a password?
Thatís the trick, you donít want to remember it, youíre not supposed to. If you can remember it, itís not a strong enough password. Instead, use a password manager application (notice I didnít say browser extension or plugin). For Macs, use 1password, for Windows SyncPlaces or KeePass type of applications would work.

And last of all, do not access sensitive accounts on public computers - including friends computers, there can easily be a key logger or some other spyware installed that will be able to grab your account information on the sensitive accounts that you log into.

_________________
phpBB.com Modifications Team Member
Co-Founder phpBB Academy at StarTrekGuide
Back to top
iWisdom
Board Member



Joined: 19 Nov 2008

Posts: 16



PostPosted: Fri Feb 13, 2009 6:43 pm 
Post subject: Re: The end

~Cowboy~ wrote:
I agree with that statement, but the fact is... if the phplist exploit was not there, then the phpbb2 database would not have been at risk because they would not have gained access to it in the first place right?
The phpBB2 database has not existed on .com's servers for a long time. The passowords that were bruteforced were unconverted ones in users table from users who had not logged in since the site upgraded to phpBB3 two years ago.

Also, md5 is fine as long as nobody can gain access to it. The problem with this is phpBB2 is now unsupported from a security standpoint as well. This means that you cannot guarantee your boards will never be compromised and your passwords will become vulnerable to bruteforcing.
Back to top
Sylver Cheetah 53
Board Member



Joined: 17 Dec 2008

Posts: 426
Location: Milky Way


flag
PostPosted: Fri Feb 13, 2009 6:49 pm 
Post subject: Re: The end

But from bruteforce point of view, phpBB2 or phpBB3 is the same, because it's still just trying out al kind of combinations of letters/ words untill you got something. So has nothing to do with how the password is "covered". icon_smile.gif
_________________
Image link
My Forum || My Blog

phpBB2 forever! icon_smile.gif
Back to top
drathbun
Board Member



Joined: 24 Jul 2008

Posts: 653
Location: Texas


flag
PostPosted: Fri Feb 13, 2009 7:00 pm 
Post subject: Re: The end

That's a valid point. Any system that allows brute force attacks is vulnerable, no matter what hashing / salting algorithm is used.
_________________
phpBBDoctor Blog
Back to top
roadhog
Board Member



Joined: 19 Nov 2008

Posts: 95
Location: Central Texas


flag
PostPosted: Fri Feb 13, 2009 9:43 pm 
Post subject: Re: The end

Am I correct in assuming that a relatively low setting for allowed login attempts, (say four or five), with a "reasonable" login lock time, (say 15 minutes), is a defense against that?
Back to top
Highway of Life
Board Member



Joined: 19 Nov 2008

Posts: 3
Location: 127.0.0.1


flag
PostPosted: Sat Feb 14, 2009 2:22 am 
Post subject: Re: The end

roadhog wrote:
Am I correct in assuming that a relatively low setting for allowed login attempts, (say four or five), with a "reasonable" login lock time, (say 15 minutes), is a defense against that?
Any reasonable limit is a good prevention against that, because it's a limit on how many attempts at brute-forcing they can try. Of course, if they can break (read) the CAPTCHA correctly, it would be far more attempts, this is why it is so important to have a password that cannot be brute forced.
_________________
phpBB.com Modifications Team Member
Co-Founder phpBB Academy at StarTrekGuide
Back to top
~Cowboy~
Board Member



Joined: 08 Dec 2008

Posts: 297
Location: Chicago


flag
PostPosted: Sat Feb 14, 2009 2:24 am 
Post subject: Re: The end

roadhog wrote:
Am I correct in assuming that a relatively low setting for allowed login attempts, (say four or five), with a "reasonable" login lock time, (say 15 minutes), is a defense against that?

Its a good way to make the brute force attack a long drawn out process but it can still be done. It will just take much longer to do.

But it makes you a much less likely target because there are much easier targets to be had.

I set mine at 3 attempts and 60 min. icon_biggrin.gif

Lets face it how many people mistype their password 4 times in a row? icon_rolleyes.gif

_________________
Image link
We are not refugees we are trail blazers. icon_wink.gif
Back to top
Display posts from previous:   
Register or Login to Post    Index » phpBB2 Discussion  Previous TopicPrint TopicNext Topic
Page 3 of 4 All times are GMT
Goto page Previous  1, 2, 3, 4  Next
 
Jump to:  

Index • About • FAQ • Rules • Privacy • Search •  Register •  Login 
Not affiliated with or endorsed by the phpBB Group
Powered by phpBB2 © phpBB Group
Generated in 0.0133 seconds using 15 queries. (SQL 0.0023 Parse 0.0003 Other 0.0106)
phpBB Customizations by the phpBBDoctor.com
Template Design by DeLFlo and MomentsOfLight.com Moments of Light Logo