Poster | Thread |
sibbi
| |
Re: Amigaworld.net hacked? Posted on 7-Nov-2018 23:54:22
| | [ #41 ] |
|
|
|
Team Member |
Joined: 18-Mar-2003 Posts: 664
From: Iceland | | |
|
| @Broadblues/Thread
I've watched this thread, we're not ignoring it...
There are obviously some things that we were already doing to try to prevent this.
We do regularly patch the server, run a recent, fully patched version of both Apache and PHP, as well as MySQL, and we patch the kernel and reboot the server on a fairly regular basis.
However, even given all that, the Xoops code we are running is very old, and although we've made multiple precautions in various places in the code and have custom developed patches for well known holes, there might be a hole in it somewhere that we're not aware of. Numerous discussions have taken place over the years about moving to another CMS, but we lack a developer and doing so would break the site in non-css capable browsers.
I wasn't able to find a local file on the filesystem containing this password database information anywhere, but that doesn't necessarily mean that nothing happened nor that we should just ignore it.
The Xoops code uses the fairly weak MD5 method of hashing passwords. It's somewhat easy to crack passwords using MD5 at this stage, using a precompiled library of "well known" hashes.
I've modified the login code to make it update your password using the password_hash method of PHP, which is a far better way of hashing the password, making it much more difficult to decrypt, even if someone were to gain control of the user database.
All you have to do, to "update" your password to the new hashing algorithm, is to log out, and log back in.
Once you do that, your password hash will be updated in the database and stored using the far more secure method.
Having said that, it's still good practice to never re-use a password between sites, as has been mentioned many times in this thread.
_________________ --- Sibbi
Disclaimer: The opinions stated do not neccesarily represent those of my employer. |
|
Status: Offline |
|
|
AlexC
| |
Re: Amigaworld.net hacked? Posted on 8-Nov-2018 1:25:56
| | [ #42 ] |
|
|
|
Super Member |
Joined: 22-Jan-2004 Posts: 1300
From: City of Lost Angels, California. | | |
|
| @sibbi
One small issue with the updated login script:
I logged in to refresh the password hash and upon successful login, the user.php script created a redirection to "https://" with no URL.
_________________ AlexC's free OS4 software collection
AmigaOne XE/X1000/X5000/UAE-PPC OS4 laptop/X-10 Home Automation |
|
Status: Offline |
|
|
spud101
| |
Re: Amigaworld.net hacked? Posted on 8-Nov-2018 8:18:45
| | [ #43 ] |
|
|
|
Member |
Joined: 4-Aug-2016 Posts: 83
From: Unknown | | |
|
| @sibbi
Super! Very happy you are working on this. Indeed MD5 has been found insecure for many years now. Good you have implemented a new hash. Thanks a lot!! |
|
Status: Offline |
|
|
saimo
| |
Re: Amigaworld.net hacked? Posted on 8-Nov-2018 9:58:55
| | [ #44 ] |
|
|
|
Elite Member |
Joined: 11-Mar-2003 Posts: 2450
From: Unknown | | |
|
| @sibbi
Quote:
I've modified the login code to make it update your password using the password_hash method of PHP, which is a far better way of hashing the password, making it much more difficult to decrypt, even if someone were to gain control of the user database.
All you have to do, to "update" your password to the new hashing algorithm, is to log out, and log back in.
Once you do that, your password hash will be updated in the database and stored using the far more secure method. |
Thanks for this. There should be a prominent notice on the front page to inform all the users._________________ RETREAM - retro dreams for Amiga, Commodore 64 and PC |
|
Status: Offline |
|
|
sibbi
| |
Re: Amigaworld.net hacked? Posted on 8-Nov-2018 10:02:07
| | [ #45 ] |
|
|
|
Team Member |
Joined: 18-Mar-2003 Posts: 664
From: Iceland | | |
|
| @AlexC
Yeah I noticed this once, but when I tried to reproduce it, it did not do it again _________________ --- Sibbi
Disclaimer: The opinions stated do not neccesarily represent those of my employer. |
|
Status: Offline |
|
|
broadblues
| |
Re: Amigaworld.net hacked? Posted on 8-Nov-2018 11:43:50
| | [ #46 ] |
|
|
|
Amiga Developer Team |
Joined: 20-Jul-2004 Posts: 4446
From: Portsmouth England | | |
|
| |
Status: Offline |
|
|
AmigaOneProductions
| |
Re: Amigaworld.net hacked? Posted on 8-Nov-2018 11:51:51
| | [ #47 ] |
|
|
|
Cult Member |
Joined: 11-Jan-2006 Posts: 717
From: Ingle land | | |
|
| I have had 3 mails over the past month addressed to an address I used here, one of them had the password that I have used in the past, but had been changed some time ago.
I also use email addresses keyed to individual websites so I know that the address came from here.
Quote:
Hello! I'm a programmer who cracked your email account and device about half year ago. You entered a password on one of the insecure site you visited, and I catched it. Your password from amigaworld@techmailbox.co.uk on moment of crack: ********* |
EDIT: Make that 4 emails, the one I just received pretends to be from PayPal, probably wants to steal my details from there too.
Last edited by AmigaOneProductions on 08-Nov-2018 at 05:28 PM.
_________________ Glass coffins, a success? Remains to be seen. |
|
Status: Offline |
|
|
number6
| |
Re: Amigaworld.net hacked? Posted on 8-Nov-2018 16:36:35
| | [ #48 ] |
|
|
|
Elite Member |
Joined: 25-Mar-2005 Posts: 11540
From: In the village | | |
|
| @thread
Unrelated but: https://forum.amiga.org/
Quote:
Most Online Today: 743. Most Online Ever: 800 (November 07, 2018, 01:09:31 PM) |
I don't think so...
#6
Last edited by number6 on 08-Nov-2018 at 04:37 PM.
_________________ This posting, in its entirety, represents solely the perspective of the author. *Secrecy has served us so well* |
|
Status: Offline |
|
|
BigD
| |
Re: Amigaworld.net hacked? Posted on 8-Nov-2018 16:45:05
| | [ #49 ] |
|
|
|
Elite Member |
Joined: 11-Aug-2005 Posts: 7307
From: UK | | |
|
| @sibbi
Quote:
I've modified the login code to make it update your password using the password_hash method of PHP, which is a far better way of hashing the password, making it much more difficult to decrypt, even if someone were to gain control of the user database. |
I've just got my first email today providing my current AmigaWorld password and stating that my 'email has been hacked' though it is obviously AmigaWorld only!!!
What exactly is going on and why is there no message on the front of this site informing us all of the dangers? The programmer states proudly he hacked it 6 months ago!!Last edited by BigD on 08-Nov-2018 at 04:45 PM.
_________________ "Art challenges technology. Technology inspires the art." John Lasseter, Co-Founder of Pixar Animation Studios |
|
Status: Offline |
|
|
BigD
| |
Re: Amigaworld.net hacked? Posted on 8-Nov-2018 17:53:10
| | [ #50 ] |
|
|
|
Elite Member |
Joined: 11-Aug-2005 Posts: 7307
From: UK | | |
|
| @sibbi
... and now I'm getting considerably more spam emails!!! This is very annoying. I've changed my password but it this going to be an ongoing problem with AmigaWorld or has your PHP pasword_hash thingy made some difference? From the sounds of it there could be a back door in the website that you're not aware of! If there was an attack in 2012 or 6 months ago or whenever then why weren't we told? _________________ "Art challenges technology. Technology inspires the art." John Lasseter, Co-Founder of Pixar Animation Studios |
|
Status: Offline |
|
|
number6
| |
Re: Amigaworld.net hacked? Posted on 8-Nov-2018 18:12:16
| | [ #51 ] |
|
|
|
Elite Member |
Joined: 25-Mar-2005 Posts: 11540
From: In the village | | |
|
| @BigD
Quote:
If there was an attack in 2012 or 6 months ago or whenever then why weren't we told? |
AmigaWorld.Net hacked!
That ^ did not constitute "telling" to you?
#6_________________ This posting, in its entirety, represents solely the perspective of the author. *Secrecy has served us so well* |
|
Status: Offline |
|
|
zipper
| |
Re: Amigaworld.net hacked? Posted on 8-Nov-2018 20:00:21
| | [ #52 ] |
|
|
|
Regular Member |
Joined: 11-Jul-2005 Posts: 275
From: finland | | |
|
| Got mine today I suppose my pw was hacked via Adobe 2013. No wonder at all to get the message, my other "dirty" email has been pwned for many years.. |
|
Status: Offline |
|
|
BigD
| |
Re: Amigaworld.net hacked? Posted on 8-Nov-2018 22:56:44
| | [ #53 ] |
|
|
|
Elite Member |
Joined: 11-Aug-2005 Posts: 7307
From: UK | | |
|
| @number6
It was flagged up as being all above board and that MD5 encryption was enough!
sibbi wrote on 12th January 2012 Quote:
Our passwords are saved as MD5... There is nothing that suggests that the site has been hacked in any way, and since the actual user password was gotten from somewhere, our suspicion is that the passwords were retrieved from another Amiga site which does not do that (store the passwords encrypted), we have no idea from what site though, nor do we have any proof of any of this, this could simply have been guesswork.
To be on the safe-side however, we are recommending that users change their passwords, especially if they re-use the same password on many Amiga sites (which in general is a bad idea). Password complexity is a whole other discussion. |
He therefore refused to accept that there was a weakness in the Amigaworld.net setup whereas now 6 & 1/2 years on he accepts there is / was!
So now PHP_Hash type encryption should solve it all and keep us safe? Who knows?Last edited by BigD on 08-Nov-2018 at 10:58 PM.
_________________ "Art challenges technology. Technology inspires the art." John Lasseter, Co-Founder of Pixar Animation Studios |
|
Status: Offline |
|
|
BigD
| |
Re: Amigaworld.net hacked? Posted on 8-Nov-2018 23:01:42
| | [ #54 ] |
|
|
|
Elite Member |
Joined: 11-Aug-2005 Posts: 7307
From: UK | | |
|
| @sibbi
I get spam every 15 to 18 minutes now! Thanks for this situation! _________________ "Art challenges technology. Technology inspires the art." John Lasseter, Co-Founder of Pixar Animation Studios |
|
Status: Offline |
|
|
tonyw
| |
Re: Amigaworld.net hacked? Posted on 8-Nov-2018 23:33:31
| | [ #55 ] |
|
|
|
Elite Member |
Joined: 8-Mar-2003 Posts: 3240
From: Sydney (of course) | | |
|
| @BigD
Quote:
He therefore refused to accept that there was a weakness in the Amigaworld.net setup whereas now 6 & 1/2 years on he accepts there is / was!
|
That's being unreasonable. Back in 2012, MD5 WAS good enough. Times have changed, the baddies have got more skills. We have to fix things reactively, not proactively: there aren't enough hours in the day to fix bugs that aren't yet a problem.
If you have been sensible and used unique passwords in different situations, you won't have a problem.
_________________ cheers tony
Hyperion Support Forum: http://forum.hyperion-entertainment.biz/index.php |
|
Status: Offline |
|
|
BigD
| |
Re: Amigaworld.net hacked? Posted on 9-Nov-2018 0:06:28
| | [ #56 ] |
|
|
|
Elite Member |
Joined: 11-Aug-2005 Posts: 7307
From: UK | | |
|
| @tonyw
Quote:
If you have been sensible and used unique passwords in different situations, you won't have a problem. |
I did that but the hacker has my email address now (only) and is spamming me and this is annoying enough. This must have been a recent attack as I'd have had an influx of spammed email before now! Why wasn't the PHP_Hash encryption thought about in the last two years? Surely the 2012 attack was a warning on that front? Did they hack the MD5 protection in 2012 or not? If they did then it wasn't strong enough!
There needs to be some honesty here. I remember when TalkTalk and the Post Office Broadband companies got hacked that they tried to hush it up to. Not the best strategy IMHO _________________ "Art challenges technology. Technology inspires the art." John Lasseter, Co-Founder of Pixar Animation Studios |
|
Status: Offline |
|
|
jPV
| |
Re: Amigaworld.net hacked? Posted on 9-Nov-2018 6:22:32
| | [ #57 ] |
|
|
|
Cult Member |
Joined: 11-Apr-2005 Posts: 809
From: .fi | | |
|
| Quote:
AlexC wrote: @sibbi
One small issue with the updated login script:
I logged in to refresh the password hash and upon successful login, the user.php script created a redirection to "https://" with no URL.
|
This kind of thing is reproduceable if you initially go to http://amigaworld.net , it gets forwarded to https://amigaworld.net , which looks correct, but after login it tries to go to "https:/" and you get an error requester.
_________________ - The wiki based MorphOS Library - Your starting point for MorphOS - Software made by jPV^RNO |
|
Status: Offline |
|
|
spud101
| |
Re: Amigaworld.net hacked? Posted on 9-Nov-2018 18:21:47
| | [ #58 ] |
|
|
|
Member |
Joined: 4-Aug-2016 Posts: 83
From: Unknown | | |
|
| |
Status: Offline |
|
|
amigakit
| |
Re: Amigaworld.net hacked? Posted on 9-Nov-2018 19:25:16
| | [ #59 ] |
|
|
|
Amiga Kit |
Joined: 28-Jun-2004 Posts: 2515
From: www.amigakit.com | | |
|
| @spud101
AmigaWorld has nearly 6000 accounts on the database (probably only a percentage these days is active). In this thread I have read through and counted 8 users who are reporting problems. There have been no reports to privacy@a-eon.co.uk so far which is the official channel to relay any privacy questions or alerts/reports.
Data integrity is extremely important to everyone here and is regarded with the highest priority. Sibbi has duly upgraded the encryption strength of the database. He has still not found any server side evidence that a data breach has occurred but checking will continue. As a precaution an initial report has been made to the Information Commissioner's Office whilst it is investigated further.
Soon advice will be published regarding changing passwords.
Depending on the outcome of server investigations we may need to review all options. Last edited by amigakit on 09-Nov-2018 at 07:39 PM. Last edited by amigakit on 09-Nov-2018 at 07:25 PM.
_________________ Amiga Kit Amiga Store Links: www.amigakit.com | New Products | A600GS |
|
Status: Offline |
|
|
number6
| |
Re: Amigaworld.net hacked? Posted on 9-Nov-2018 19:44:03
| | [ #60 ] |
|
|
|
Elite Member |
Joined: 25-Mar-2005 Posts: 11540
From: In the village | | |
|
| @amigakit
Quote:
AmigaWorld has nearly 6000 accounts on the database (probably only a percentage these days is active |
Depends on how one defines active these days. If just logging in counts, as opposed to having to post:
unique nicks in the last year = 961
monthly hovers around 385, which is actually an increase since all the legal activity began.
#6_________________ This posting, in its entirety, represents solely the perspective of the author. *Secrecy has served us so well* |
|
Status: Offline |
|
|