Security and Privacy Issue : May-2014

[Hachiko]

I have never had to change my details, but it looks like I had to do it for the first time in years.

[Dextro]

Quote:

Originally Posted by ChuckE

Bruteforcing it may be possible but....c'mon even Pentagon servers would required couple of years
Hacker has been preparing to hack this forum since 200x Oh maybe he was just lucky lol

Quote:

The results were pretty good, with speedups (when run on 8800 Ultra) of ~36x over a single core of a Q6700 Core Duo (or ~9x over all four cores, assuming linear scaling). This is a pretty nice gain for an unoptimized piece of code written in 1.5 days by a curious astrophysicist :-).



In absolute terms, the GPU was able to compute ~110 million MD5 hashes per second, while it was even faster (~160 Mhash/sec) when the results weren't stored to global memory but instead compared against a "target" hash and discarded if no match was found ("search mode"). In laymen terms, this means a single 8800 Ultra can brute-force break an MD5 hashed password of eight or less alphanumerics+numbers (A-Z, a-z, 0-9) in about ~16 days. Kind of scary.

Source: https://devtalk.nvidia.com/default/t...nd-benchmarks/

So... for passwords of 8 chars or less it takes about 16 days to crack them when hashed with MD5. Of course that salt and length multiplies that time but even 16*16 (to figure out a similar length salt) would still end up at less than a year... Using a SINGLE 8 year old graphics card... Yeah, how do you think things look today?

[Majic]

President Skroob: Did it work? Where's the king?
Dark Helmet: It worked, sir. We have the combination.
President Skroob: Great. Now we can take every last breath of fresh air from Planet Druidia. What's the combination?
Colonel Sandurz: 1-2-3-4-5
President Skroob: 1-2-3-4-5?
Colonel Sandurz: Yes!
President Skroob: That's amazing. I've got the same combination on my luggage.
Dark Helmet, Colonel Sandurz: [looks at each other]

[supermegasonic]

and here i was thinking i was an idiot for not remembering my password again. hopefully things get better from here on

[Luurah]

Now, this is scary!

When I saw the forums go down and see that it got hacked, the first thing that popped in my head was "Holy ****! This is terrible!" At least, I'm glad that "the powers that be" behind AnimeSuki has brought some normalcy back to the forums.

I also had to change several passwords after learning the news. Hopefully, that'll keep me protected.

[GHDpro]

Quote:

Originally Posted by Dextro

So... for passwords of 8 chars or less it takes about 16 days to crack them when hashed with MD5. Of course that salt and length multiplies that time but even 16*16 (to figure out a similar length salt) would still end up at less than a year... Using a SINGLE 8 year old graphics card... Yeah, how do you think things look today?

Afaik salt does not add much to the computation time (it would still be 16 days with that old GPU, or... a few hours with a modern one). What it does is make pre-existing rainbow tables unusable, in other words they'd have to do this for every password separately.

This means depending on what hardware is used, it would take a long time (weeks/months/years) for the attackers to crack everybody's password (that is, if everybody used completely random/unguessable passwords, which I doubt is the case), but it would still be possible to crack the passwords of specific users within hours. As we don't know who they'll focus on or the hardware used, it doesn't change much in regard on whether your old password is safe or not - it isn't, sadly.

[Dextro]

Quote:

Originally Posted by GHDpro

Afaik salt does not add much to the computation time (it would still be 16 days with that old GPU, or... a few hours with a modern one). What it does is make pre-existing rainbow tables unusable, in other words they'd have to do this for every password separately.

This means depending on what hardware is used, it would take a long time (weeks/months/years) for the attackers to crack everybody's password (that is, if everybody used completely random/unguessable passwords, which I doubt is the case), but it would still be possible to crack the passwords of specific users within hours. As we don't know who they'll focus on or the hardware used, it doesn't change much in regard on whether your old password is safe or not - it isn't, sadly.

Yhep. It would still take just a few months with a couple of modern GPUs to crack a large set of passwords I reckon. Most people don't use particularly long passwords from all the studies I've read on the subject so that works in favor of a hacker.

Luckily salt kills rainbow tables and dictionary attacks so there's that. MD5 is still extremely weak though. It's a shame that it isn't particularly easy to switch to something like SHA256 which is safer (or even scrypt which should be good for quite a while).

[hollowfication69]

oh great who in world would attack forum steal our username for what


i change it my password but this is stupid

[Krono]

Quote:

Originally Posted by Dextro

Yhep. It would still take just a few months with a couple of modern GPUs to crack a large set of passwords I reckon. Most people don't use particularly long passwords from all the studies I've read on the subject so that works in favor of a hacker.

Luckily salt kills rainbow tables and dictionary attacks so there's that. MD5 is still extremely weak though. It's a shame that it isn't particularly easy to switch to something like SHA256 which is safer (or even scrypt which should be good for quite a while).

By that article I've linked a couple times, it can take as few as 20 hours to crack 90% of a list of 16,449 MD5-hashed passwords. The hashes in question there weren't salted, but salting doesn't help that much, and in this case they got the salt for the passwords as well, so it's not even going to slow them down as much as it could have. So like I said, you can pretty much assume that any password that wasn't really good to start with has already been cracked.

[Nvis]

Hold on a f**king second, are we still vulnerable?

They still using this MD5 thing that got hacked in the first place?

[kusabireika]

what is this ? i caught it while im surfing here

can anyone explain this bit confuse im using mozilla firefox as a web browser or im the only one that experience it

[Solace]

Quote:

Originally Posted by Nvis

Hold on a f**king second, are we still vulnerable?

They still using this MD5 thing that got hacked in the first place?

Read the thread before getting pissed. We've fixed the immediate problems and beefed up our security as best as we can in the short term. It will take time to strengthen it further. There's plenty of advice in this thread so that you can also strengthen your own security, which helps you not just here but everywhere you have an account on the internet.

Never assume a site is safe. Ever. Safety is an illusion. All that can be done is to take precautions, learn from mistakes, and mitigate/repair the damage.

We do sincerely apologize for what happened, but keep in mind that it wasn't just you guys that got affected to, the staff did as well. Do you think we liked having to change our passwords, scan our computers for hours, and check every account we have for security breaches? We're taking this as seriously as everyone else is, and should be. We're not happy either, but we're doing what we can.

Quote:

Originally Posted by kusabireika

what is this ? i caught it while im surfing here

can anyone explain this bit confuse im using mozilla firefox as a web browser or im the only one that experience it

That looks like an intrusive ad. It happens to some users. Report it to Nightwish or GHD and they'll look into it. Do you use Adblock?

[kusabireika]

Quote:

Originally Posted by Solace

Read the thread before getting pissed. We've fixed the immediate problems and beefed up our security as best as we can in the short term. It will take time to strengthen it further. There's plenty of advice in this thread so that you can also strengthen your own security, which helps you not just here but everywhere you have an account on the internet.

Never assume a site is safe. Ever. Safety is an illusion. All that can be done is to take precautions, learn from mistakes, and mitigate/repair the damage.

We do sincerely apologize for what happened, but keep in mind that it wasn't just you guys that got affected to, the staff did as well. Do you think we liked having to change our passwords, scan our computers for hours, and check every account we have for security breaches? We're taking this as seriously as everyone else is, and should be. We're not happy either, but we're doing what we can.



That looks like an intrusive ad. It happens to some users. Report it to Nightwish or GHD and they'll look into it. Do you use Adblock?

I see i uninstall my mozilla and reinstall it again together with adblock it work thx for replying

I guess if you have this problem you better uninstall and reinstall again

I used Iobit uninstaller to remove the mozilla registry files too i hope that helps

[Solace]

Excellent, I'm glad you got it fixed. Ads can be pesky.

[sa547]

Quote:

Originally Posted by MarineCorps

Not the worst thing in the world to have happen for me. The password I use is one i use most places that are not important to me. Any actions someone would take with that password would get reported to my email, which uses a unquie password with 2 step verification requiring my phone. For me I recognize that a forum is not fort knox nor should it be.

Did the same two-step verification to my account lately, as I go elsewhere for work but don't own a laptop or a smartphone (just a cruddy old dumbphone almost falling apart).

Also, I never keep full details of almost everything online (most of my documents are in a box just beneath the monitor), and one email account (among three) uses a false name.

[Infinite Zenith]

The best security is personal vigilance. Common sense and a little bit of technical knowledge bests the world's best security: one could have the most secure anti-burglar system in the world, and it would fail because they forgot to turn it on.

[Krono]

Quote:

Originally Posted by Nvis

Hold on a f**king second, are we still vulnerable?

They still using this MD5 thing that got hacked in the first place?

The short answer is no we are not currently still vulnerable, and yes the site is still using MD5.

The long answer is that what got hacked was a disused moderator account. The hacker used the access that granted him to post malicious scripts, and gain greater access to the site. They disabled the account, removed the elevated privileges from inactive accounts, wiped all forum software that the hacker may have had access to, and restored from a back up prior to the hacker showing up. They then invalidated all existing passwords, forcing everyone to change their password. Meaning that all possibly malicious software has been wiped, and the hacker no longer has access to any accounts.

The discussion of MD5 and password cracking is because one of the things the hacker did before he was discovered was download the password database the forum uses when people log in. MD5 is the encryption algorithm that the forum uses to store passwords. It takes passwords, and converts them into a long hexadecimal number, and optionally (as this forums uses) before it does that, it adds random data called a salt onto the password before encrypting it. Once finished, it stores the hexadecimal number which is called a hash. When you log in, it runs the password you supply through the same process, and compares the result to the result it has stored.

The problem is that MD5 is 23 years old. It was developed at a time when speed was a desirable attribute in your encryption because process power was limited. Modern smart phones dwarf the computing power of computers of that time, and modern gaming computers dwarf the power of the super computers of that time. What used to take weeks or months can be done in seconds. Some people don't seem to realize this change, and are downplaying how quickly passwords in the database are likely to be broken, implying that the stolen passwords are still secure when they should not be considered secure. Hence the discussion of MD5's weaknesses in an attempt to make it clear that it's reasonable to assume the passwords are compromised.

The forum still uses MD5, because there's no quick upgrade to something better. This forum uses off the shelf software that's been customized. It can not be upgraded to the latest version without breaking the customization. Nor does the latest version offer something better than MD5 anyways. Nor does most of the competition's software. Alternatives that do offer something better either do not offer the same functionality, or would require the forum to start from scratch. Meaning that ultimately the owners of this forum will have to take quite some time to consider their options, and the best option might end up simply being to take better steps to prevent the forum from being hacked in the first place, rather than to take better steps to prevent relatively weak passwords from being quickly cracked after the forum is already compromise the the passwords taken.

[Lefteris_D]

Quote:

Originally Posted by Nvis

Hold on a f**king second, are we still vulnerable?

They still using this MD5 thing that got hacked in the first place?

I think you missunderstand something. The hack was most likely due to a forum bug present in an old vBulletin version. That bug allowed whoever did this to download the Usenames, passwords and emails. This is called an SQL injection . Obviously the forum is up to date now and no longer vunrable.

MD5 is just an encryption algorithm for the stored passwords and it's used by almost every single forum software out there and the only person able to change that is the company developing the forum software.

[KanbeKotori]

Quote:

Originally Posted by Cosmic Eagle

The bolded is quite contradictory

Well maybe. What I'm hinting at is the need for these sites to have top notch security systems. Passwords aren't just a bunch of digits and what not nowadays anyway.

[SaintessHeart]

Quote:

Originally Posted by KanbeKotori

Well maybe. What I'm hinting at is the need for these sites to have top notch security systems. Passwords aren't just a bunch of digits and what not nowadays anyway.

Want to foot the bill?