Passwords
It is not known for sure that the attacker copied any password hashes, but it should be assumed that he did.
Well, I'm already getting spam on my unique email address generated for the forum so we might consider that if that leaked, the hashes leaked as well:
Received: by 10.42.220.135 with SMTP id hy7cs191738icb;
Mon, 12 Sep 2011 05:57:14 -0700 (PDT)
Received: by 10.14.13.14 with SMTP id a14mr1481921eea.41.1315832233374;
Mon, 12 Sep 2011 05:57:13 -0700 (PDT)
Return-Path:
Received: from x
by mx.google.com with ESMTPS id 36si4325308eeh.202.2011.09.12.05.57.12
(version=TLSv1/SSLv3 cipher=OTHER);
Mon, 12 Sep 2011 05:57:13 -0700 (PDT)
Received-SPF: fail (google.com: domain of [email protected] does not designate Y as permitted sender) client-ip=Y;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of [email protected] does not designate Y as permitted sender) [email protected]
Received: from yama-bousai-web.bosai.vill.yamato.lg.jp ([61.194.116.165])
by X (8.14.1/8.14.1) with ESMTP id p8CCvAWf028904
for ; Mon, 12 Sep 2011 14:57:11 +0200 (CEST)
Message-Id: <201109121257.p8CCvAWf028904@X>
Received: from User ([66.219.29.150])
by yama-bousai-web.bosai.vill.yamato.lg.jp
(Post.Office MTA v4.1.0.4 release 20090417
ID# 6014-053U50L50S0V41J) with ESMTP id jp;
Mon, 12 Sep 2011 19:48:48 +0900
From: "[email protected]"
Subject: Liberty Reserve Bonus Winner
Date: Mon, 12 Sep 2011 19:48:28 +0900
MIME-Version: 1.0
Content-Type: text/html;
charset="iso-8859-9"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
src="" width="1"> |
border="0">
|
To increase your bonus you can use one of our autorized exchangers to upload money in your account! Please be aware that this Bonus Offer will expire in 5 bussiness days! Bonus amount will be added to your account balance in maximum 24 hours!
2002 � 2011 Liberty Reserve S.A. All rights reserved. |
width="5"> |
src="" width="1"> |
src="" width="1"> |
|
legendary
Activity: 1204
Merit: 1015
[doc_brown] You're not thinking 4th-dimensionally! [/doc_brown]
Imagine for a moment that they took a snapshot of the database as any good "hello, world!" hack would do. And they didn't take a snapshot just for the sake of cracking passwords, but just part of a routine "let's see what we can get out of it" thing. That enables a 3rd possibility: that they have the database (no need for further hacks/exploits from that point on to get hashes), that they didn't have the intention of snooping passwords, but now they have the motivation to try it (which they didn't, before the information was posted).
I suppose that is true. With admin access, they just had to press one button to get a full database dump. That is much less work than coding a dump program yourself.
Basically, this is a case where you just have to weigh the risks that the hacker would decide to suddenly start cracking the passwords after you release the details, to the damage that anything less than full disclosure would cause to your reputation. Remember when Mt.Gox was hiding things how pissed everyone was?
Of course, since it's my reasoning against a person wearing the title "mod", if this is anything like any other forum, cue the community blindly bashing the guy that doesn't 100% agree with the post
Nobody here really thinks that mods are special. We just happen to read more posts than everyone else, so we were given the power to moderate the forum ourselves instead of having to report everything.
full member
Activity: 176
Merit: 100
[doc_brown] You're not thinking 4th-dimensionally! [/doc_brown]
Imagine for a moment that they took a snapshot of the database as any good "hello, world!" hack would do. And they didn't take a snapshot just for the sake of cracking passwords, but just part of a routine "let's see what we can get out of it" thing. That enables a 3rd possibility: that they
have the database (no need for further hacks/exploits from that point on to get hashes), that they
didn't have the intention of snooping passwords, but now they
have the motivation to try it (which they didn't, before the information was posted).
Of course, since it's my reasoning against a person wearing the title "mod", if this is anything like any other forum, cue the community blindly bashing the guy that doesn't 100% agree with the post
legendary
Activity: 1204
Merit: 1015
Helped? No. Sparked the idea? That's my point. It's a psychological thing, not a technological thing. It's like the candy stands at the checkout... when you go through a grocery store, do you ever actually SEEK OUT the candy? Well, only if you've got candy issues
But generally, no. You get to the checkout, and bam: candy. Mm... candy, that would be nice to have! I can afford it, whatever. *grab*
Now, the hack. Mm, I've done all my deeds for the day, Cosbycoin is floating all over the forum, screenshots are taken, lulz are collectively had, it's been a fun day. Ahh, it's offline. Ahh, it's back online. What'd that whiny brat admin say about us? ("checkout" phase) Ooh, what's this? Haha, that's stupid-easy to do. ("candy" phase) Sure enough, it works! Haha, suckers, now we have all their passwords too.
They may or may not have actually investigated the passwords, and even still there's a probability that they hadn't. But the probability pretty much exploded the moment some dingbat thought it would be smart to
advertise how the passwords are hashed.
Here's the thing: this information was only revealed AFTER the attack. As such, the hacker no longer has access to the system. If they had the idea of taking the user database and cracking the passwords, they either already did or they didn't. There is literally no way to take the user database without explicitly thinking "I want to crack everyone's password!". If they did take the user database, you can bet that they also downloaded the entire source code of the forum, just in case we made any changes to how the passwords were stored (I don't know that we did, and if we didn't change how the passwords were stored, they could have found this out from the SMF source code any time they wanted to - including well before the attack). Basically, the attacker already would have known all this. There is NO danger in revealing this information after the fact.
|