NMA was hacked

Discussion in 'NMA News and Information' started by Odin, Sep 27, 2011.

  1. Odin

    Odin Carbon Dated and Proud
    Admin

    Apr 2, 2003
    Cheers for the tips guys, that specific code that was used to hack his way in was done ages ago and with the help from my host at the time.

    We were in the progress of planning to upgrade the site these last few weeks, so most of the code here will be gone after the upgrade.
     
  2. Lexx

    Lexx Background Radiant
    Moderator Modder

    Apr 24, 2005
    I just hope the forum will at least partly remain it's current look. :>

    Oh and please no website width, like 900px or something. It's always easier to read a forum, if it's using 100% of the screen.
     
  3. TheWesDude

    TheWesDude Sonny, I Watched the Vault Bein' Built!

    Feb 25, 2005
    odin, again...

    if you are going to limit security of accounts to MD5 hashing, that is the same as no security at all.

    its quite pointless to really do anything unless you change the hashing algorithm to something far more complex like a 256 or 512 hash, and implement failed attempts lockout even if its just temporary but log it.

    if you dont, there really isnt any point in doing anything because MD5 hashing has been cracked for a long time. there are numerous even web sites that can reverse-hash a MD5. we use them at least once a week at work.
     
  4. strus

    strus Patrick Bateman

    226
    Feb 23, 2005
    PUPPIES !!! :)

     
  5. Korin

    Korin So Old I'm Losing Radiation Signs
    Admin

    Aug 6, 2010
    I believe the article feature should be working again... let me know if there are any problems with it.
     
  6. Brother None

    Brother None This ghoul has seen it all
    Staff Member Admin Orderite

    Apr 3, 2003
    Awesome, well done korindabar.

    I assume but will ask anyway so everyone feels safe: the security issues have been solved then, or at least patched until the big update?
     
  7. Korin

    Korin So Old I'm Losing Radiation Signs
    Admin

    Aug 6, 2010
    That particular issue with the article.php script has been resolved. I am not currently aware of any other security vulnerabilities, so that doesn't mean they don't exist... just that this specific one has been laid to rest.
     
  8. TailSwallower

    TailSwallower First time out of the vault

    43
    Feb 9, 2010
    I hope that means the forum is getting overhauled as well, because a green-on-black main page would look way too 1997 (though that could be the point, right?).
     
  9. Lexx

    Lexx Background Radiant
    Moderator Modder

    Apr 24, 2005
    The forum should be a FPS with regenerative php and all that!
     
  10. .Pixote.

    .Pixote. Carbon Dated and Proud
    Modder

    Sep 14, 2009
    Just make sure the colours are dark, bright 'white' coloured threads burn my eyes.

    Recent photo -

     
  11. TailSwallower

    TailSwallower First time out of the vault

    43
    Feb 9, 2010
    Replace the "Post Reply" with "Enter V.A.T.S."?

    Actually, forums are turn-based, and thus are totally outdated and unmarketable. We need a chat room! A gritty, gorey chat room!
     
  12. TheWesDude

    TheWesDude Sonny, I Watched the Vault Bein' Built!

    Feb 25, 2005
    why do i get the impression nobody read any of my like 5 posts saying the same thing...
     
  13. SuAside

    SuAside Testament to the ghoul lifespan
    Admin

    May 27, 2004
    Well, at least I'm thankful it was a hacker with some restraint and not a cracker or scriptkiddie out for destruction.
     
  14. Goweigus

    Goweigus Mildly Dipped

    566
    Jan 18, 2007
    I'm also a bit worried how ignored you seemed to be. Blocking someone for too many password attempts seems like an absolutely critical thing that would require minimal effort to implement. *I don't know enough about computer security to comment on anything more complicated*
     
  15. Brother None

    Brother None This ghoul has seen it all
    Staff Member Admin Orderite

    Apr 3, 2003
    We specialize in ignoring.

    Anyway, what TWD is saying would be relevant if we were patching up our current forum system. We're not, we're switching to another forum entirely, which I think does block of brute forcing, and while I don't know anything about MD5 hashing, isn't that only a problem assuming someone gets into the database in the first place?

    EDIT: looks like we're switching over to a system that salts and uses MD5.
     
  16. Lexx

    Lexx Background Radiant
    Moderator Modder

    Apr 24, 2005
    What forum will that be? I personally am a big fan of SMF2.0.
     
  17. Brother None

    Brother None This ghoul has seen it all
    Staff Member Admin Orderite

    Apr 3, 2003
    vBulletin.
     
  18. Nark

    Nark Sonny, I Watched the Vault Bein' Built!

    Dec 6, 2008
    Nice. But doesn't that cost quite a bit of money to use? Who's paying for it?
     
  19. Korin

    Korin So Old I'm Losing Radiation Signs
    Admin

    Aug 6, 2010
    I'll answer some of what was said:

    We're talking about two different things here. First is brute forcing the login of the site and that isn't related to the md5 password hashes (you can't use the hash as the password). You either know what the original string was or you don't.

    There is nothing currently in place on -this- forum that limits login attempts but that capability is built into the new forum software (the default setting being 5 attempts). This should be coming very soon.

    To clarify for everyone concerned, md5 has not been "cracked". There is no inherent way to reverse your password to it's original value programmatically speaking. There are however two reasons why md5 is not as 'secure' as it should be.

    1. The first reason is that over time databases/sites have been built that contain the "pre-hash" value of passwords as well as the "post-hash" value. So if your password is "password" the md5 for that is "5f4dcc3b5aa765d61d8327deb882cf99", it is easy to look up the md5 hash and see what the original value was. Simple one word/short passwords, common phrases and etc are likely available on the internet.

    2. The second reason why md5 is generally considered insecure is that certain "collisions" exist. This means that it's possible for more than one "original value" to potentially create the same md5 as your password does.

    While collisions do exist, it is still quite unlikely that someone is going to find a collision value for your password any time soon. Certainly anyone with the capability or resources to do so has better things to do than hack NMA.

    ****
    For those who want to know more about the attacker, his attack seems to have been completely random and likely the result of a script that reaches out and looks for old exploits in the phpbb2 software using Google or some other engine. This was in no way a co-ordinated or focused effort for the individual responsible. As I said before, we aren't a particular 'juicy' target, but we were the low hanging fruit.

    The next iteration of the forum has a much more robust security set. In the meantime, I am trying to patch whatever holes I can find on this sinking ship.

    We could go through the dev effort to overhaul how passwords are stored/hashed but the energy would be better spent moving us over to vBulletin as soon as possible.

    It is still advisable that you change your password to something secure.
     
  20. Brother None

    Brother None This ghoul has seen it all
    Staff Member Admin Orderite

    Apr 3, 2003
    Generous NMA donations have piled up over the years, in bits and pieces. We used it earlier to fund a contest, now we're using it to fund vBulletin and hopefully a frontpage overhaul as well. If we have enough left we might even do another contest!

    So thanks to whoever donated over the years!