[Discussion] Downtime and Server Compromise

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
User avatar
Nicholas the Italian
Registered User
Posts: 659
Joined: Mon Nov 20, 2006 11:19 pm
Location: 46°8' N, 12°13' E
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Nicholas the Italian » Mon Feb 02, 2009 2:57 pm

ToonArmy wrote:Not if the hashes are salted which the new phpBB3 ones are, you would need to generate a rainbow table for each common word plus the salt which is nigh on impossible.
I was talking of simple MD5 (or SHA) hashes (which are still the most used, btw).

User avatar
Techie-Micheal
Registered User
Posts: 566
Joined: Sun Oct 14, 2001 12:11 am

Re: [Discussion] Downtime and Server Compromise

Post by Techie-Micheal » Mon Feb 02, 2009 3:27 pm

Those who have not logged in since the conversion to phpBB3 will still have their passwords in the plain MD5 format.

Phantasmagoric
Registered User
Posts: 10
Joined: Mon Feb 02, 2009 11:32 am
Location: UK
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Phantasmagoric » Mon Feb 02, 2009 4:35 pm

Is this article about a planned MASS ATTACK on phpBB forums on DIGG serious?
http://digg.com/security/phpBB_mass_hac ... _prepared_

This has worried me a great deal after the hack on .com itself!
A.K.A. Kirk Fitzgerald

ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by ToonArmy » Mon Feb 02, 2009 4:38 pm

Phantasmagoric wrote:Is this article about a planned MASS ATTACK on phpBB forums on DIGG serious?
http://digg.com/security/phpBB_mass_hac ... _prepared_

This has worried me a great deal after the hack on .com itself!
Digg wrote:submitted by Flashman 2 years 321 days ago
Somehow I don't think this is related ;)
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image

Phantasmagoric
Registered User
Posts: 10
Joined: Mon Feb 02, 2009 11:32 am
Location: UK
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Phantasmagoric » Mon Feb 02, 2009 4:41 pm

Ha, I should have paid attention to the dates there, this is getting really weird, it seems everyone is talking about this hack on .com, I'm going to stop reading it all, it's starting to freak me out to much. :?
A.K.A. Kirk Fitzgerald

Phox
Registered User
Posts: 6
Joined: Thu Jul 24, 2008 2:06 pm

Re: [Discussion] Downtime and Server Compromise

Post by Phox » Mon Feb 02, 2009 5:26 pm

Is there any chance emails will be encrypted within the phpList software now? I mean, getting hacked is no problem -- it happens to everyone, but preventing mass damage is a problem and should be dealt with. Thanks for any reply and good luck with fixing everything -- keep it up. :)

CarolC1
Registered User
Posts: 12
Joined: Mon Feb 02, 2009 12:45 am

Force re-encryption of old passwords?

Post by CarolC1 » Mon Feb 02, 2009 5:54 pm

I understand they got in through phpList which we do not use.

And I understand phpbb3 software is secure.

But....

Supposing I want a safety margin (not knowing what kind of vulnerability I myself might inadvertently create by overmodding or not updating something in a timely manner, etc.)...

is anyone looking into a way for people with users in the database with passwords still encrypted in the phpbb2 style to update those passwords to the phpbb3 style...

without asking all those users to log in again.

As you pointed out, some of the email addresses may be out of date so we might be unable to contact them.

And I do not want to delete the users.

We do have a lot of users who are just good people, I'd rather have an extra layer of protection for these good souls if it's do-able?

Phox
Registered User
Posts: 6
Joined: Thu Jul 24, 2008 2:06 pm

Re: [Discussion] Downtime and Server Compromise

Post by Phox » Mon Feb 02, 2009 7:42 pm

You can't update the passwords without rainbow tabling them (which might not even be possible for some -- but they are already protected). I wouldn't worry about it though, most people do login or would've changed their password by the time you'd get hacked.



<edit>

Alternatively, you could request a mod that deactivated these accounts, or resets their passwords, and just remove their passes.

a_o_c
Registered User
Posts: 26
Joined: Mon Feb 02, 2009 8:19 pm
Location: phpbb_
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by a_o_c » Mon Feb 02, 2009 8:30 pm

i miss (dot)com. ive been checking in for hours. anyway, i guess its a good thing (it finally got me to register here). :D

User avatar
Erik Frèrejean
Registered User
Posts: 207
Joined: Thu Oct 25, 2007 2:25 pm
Location: surfnet
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Erik Frèrejean » Mon Feb 02, 2009 8:33 pm

Phox wrote:Is there any chance emails will be encrypted within the phpList software now? I mean, getting hacked is no problem -- it happens to everyone, but preventing mass damage is a problem and should be dealt with. Thanks for any reply and good luck with fixing everything -- keep it up. :)
That would be up to the PHPList developers but I don't see that happen cause when you hash the e-mail addresses you can't e-mail them. That is the same that some people claim that it is stupid to store the database password in plain text, but there is no other way. Encrypting is useless cause those are easily reversed and hashes can't be reversed. So once stored in a hash the data is only useful for comparison.
CarolC1 wrote:Supposing I want a safety margin (not knowing what kind of vulnerability I myself might inadvertently create by overmodding or not updating something in a timely manner, etc.)...
To be save only install the MODs you really need, only download MODs from the phpBB.com MODDB and stay up to date with the latest versions.
CarolC1 wrote:is anyone looking into a way for people with users in the database with passwords still encrypted in the phpbb2 style to update those passwords to the phpbb3 style...
We are discussing this. But for now we have higher priorities, but we'll think of something before .com gets back online.
Available on .com
Support Toolkit developer

Post Reply