Ars was briefly hacked yesterday; here’s what we know

Readers, please change your passwords.

Read the whole story

 

[sigmasirrus]

bthylafh[/url]":1dom9pfi]Password changed from one random 32-char string to another. Dead easy with Lastpass.

Even with just plain ol' MD5, you wouldn't technically need to change your password if it's that long and random.

 

[Aunty Dan]

Is anyone else unable to change their password? Every time I try I get the error "You did not enter a confirm e-mail address" in red next to the "Update password" button.

I can change my password by using the "Forgotten password" reset function fine, but once set I can't change it to anything else because of this error.

 

[leedo]

Aunty Dan[/url]":b38lz0pe]Is anyone else unable to change their password? Every time I try I get the error "You did not enter a confirm e-mail address" in red next to the "Update password" button.

I can change my password by using the "Forgotten password" reset function fine, but once set I can't change it to anything else because of this error.

Can you give this (old) profile page a try? ucp.php?i=172

 

[Maltz]

whoisit[/url]":2gbmfarx]You guys could really teach a lot to other companies about disclosures after a hack. Maybe you could be post-hack consultants?

Well... I partly agree. The article is great for disclosing details, but I still have to come to the site to see it. A proper notification would be pushed via the most reliable method of contact the company has for you - email, I assume, in Ars' case.

 

[Bengie25]

Control Group[/url]":38fykkjz]

DougHW[/url]":38fykkjz]I love the transparency, but I might not have announced the exact number of iterations. That can't hurt the attackers odds of decrypting them...

Security through obscurity isn't.

You should publish all the details of your security infrastructure - or at least, you should assume that a bad actor already knows every detail of your security infrastructure except for the actual values of any secret tokens involved.

Technically, passwords and certificates are a form of obscurity. Obscurity is just a secret, just like a password is a secret. The problem is there are many passwords, but there is only one implementation.

Kind of like placing your SSH port on a high port instead of 22. You'd be amazed how effective it is at reducing your risk because fewer bots trying to attempt random passwords. Assuming you even allow passwords.

What most people consider "Obscurity" doesn't add much security, but it does add some. The problem is most people who add Obscurity tend to assume it's impervious.

 

[Deleted member 192806]

ChrisSD[/url]":2xb9zl3a]To be honest I'd be more annoyed about my email being leaked than my Ars password hash but that ship had already sailed so...

What's the worst that can happen? Someone pretend to be you and post insightful and witty commentary?

 

[ZeldaTriforce]

Any plan to upgrade from phpBB to Discourse?

 

[JTD121]

StarKruzr[/url]":2ek1qxvx]I am sad there are no screenshots.

Ask and ye shall receive!

EDIT: Ninja'd by kakti

 

[Jensen G]

Why would you only "encourage" readers to change their passwords, instead of forcing a password reset on all accounts to ensure that accounts do not get compromised?

 

[scqless]

Done(dun dun).

 

[Desverger]

My biggest concern: was there any malware on the hacked site? I witnessed the hack when I tried to visit ars yesterday and saw the black screen. I can't help but wonder if there were any exploits also sent my way.

 

[inventurous]

el_segfaulto[/url]":1en0l23o]Love seeing the openness. Time to increment the trailing number on my password, that'll fool those n'er-do-wells.

1235?

 

[CoZ Dr. Huxtable]

Desverger[/url]":s9qge7fg]My biggest concern: was there any malware on the hacked site? I witnessed the hack when I tried to visit ars yesterday and saw the black screen. I can't help but wonder if there were any exploits also sent my way.

The source code looked clean, if that matters...

 

[pqr]

235711131719232931[/url]":h9itceth](Re-posting here for more visibility)

From one of the twitter accounts that were listed on the defaced page (https://twitter.com/nidohax):

Basic Ars security protocols: make sure you have a root user's passwordless id_rsa in a world readable tarball on one of your boxes. (1/2)

Also make sure that the password for a sudoer active on every box is kept in one of the sysadmin's .bash_history files (-p flag ftw). (2/2)

Bash history (and any other file based shell history) is the devil on admin-capable accounts. Wonder how PW got typed on command line though..

 

[Oz7]

pqr[/url]":148xd5p8]

uhuznaa[/url]":148xd5p8]Any idea how the hacker got in in the first place? What OS do you run on that server and which hole he crept in through? THAT would make a nice read...

I heard it was combination of inside job and North Korean hackers...

Unlikely, unless demands and statements about "The Ars" start popping up

 

[taiganaut]

ChrisSD[/url]":3v55d5lf]

Threz_[/url]":3v55d5lf]It's unfortunately that Ars is tied down with phpBB's decision to only offer MD5 in the name of compatibility.

Well technically they can replace the phpbb password routine with their own, custom, routine but that is a bit of work to create and maintain.

A patch that calls PBKDF2 or bcrypt, run every time the underlying phpBB *hrk* is upgraded?

 

[bittermann]

Maybe Ar's should do what they preach...just sayin.

 

[Oelph]

There should've been an email comm about this.

 

[ChrisSD]

Ostracus[/url]":332ux839]

ChrisSD[/url]":332ux839]To be honest I'd be more annoyed about my email being leaked than my Ars password hash but that ship had already sailed so...

What's the worst that can happen? Someone pretend to be you and post insightful and witty commentary?

My worst nightmare, yes.

 

[netsumzero]

pqr[/url]":2klkio5k]

235711131719232931[/url]":2klkio5k](Re-posting here for more visibility)

From one of the twitter accounts that were listed on the defaced page (https://twitter.com/nidohax):

Basic Ars security protocols: make sure you have a root user's passwordless id_rsa in a world readable tarball on one of your boxes. (1/2)

Also make sure that the password for a sudoer active on every box is kept in one of the sysadmin's .bash_history files (-p flag ftw). (2/2)

Bash history (and any other file based shell history) is the devil on admin-capable accounts. Wonder how PW got typed on command line though..

#mysql -u user -p password

... most likely. Especially if the password is reused.

 

[Thereitis]

el_segfaulto[/url]":du5fddt4]Love seeing the openness. Time to increment the trailing number on my password, that'll fool those n'er-do-wells.

Yes, I'm changing mine from 123456 to 123457 straight away!

 

[logic_88]

The hack wasn't ideal but even if they got my password for Ars, what difference does it make? I only use it for Ars and no other site.

 

[taiganaut]

godel[/url]":v9zc0qsf]The borderline for PRACTICAL safety is probably about 10 random characters, unless you're trying to keep the government out, so the twenty characters he's using are plenty.

No, the bare minimum now is about 12 characters, and 15 to be safe.

"In 2010, the Georgia Tech Research Institute developed a method of using GPGPU to crack passwords, coming up with a minimum secure password length of 12 characters.[12][13][14]"

 

[epixoip]

Hi everyone. This is noted password cracking expert and D-list Internet celebrity Jeremi Gosney. You might remember me from here, here, here, here, here, here, or even here or here.

I would like to take a minute to address some of the comments being made about the password hashing algorithm that is used by the forum software Ars is using. Let's have a look at some of those comments.

pk![/url]":197g7ac3]MD5, really? After having printed several articles on password cracking I'd have hoped you'd at least have leveraged a stronger hashing algorithm.

Abhi Beckert[/url]":197g7ac3]
2,048 iterations is not enough to prevent a brute force attack on MD5.

d0x[/url]":197g7ac3]
Seriously? Ars themselves have posted many articles about this very method of encrypted password storage to be easily breakable either via brute force or with rainbow tables.

Threz_[/url]":197g7ac3]One the one hand, Ars calls the use of MD5 hashes for storing passwords as "unfortunate and irresponsible", and on the other (above) uses it as a way to argue that the passwords were well-"encrypted." Which is it?

FF22[/url]":197g7ac3]
No wonder your server was hacked if you really thought running MD5 multiple thousand times over the password would harden the hashes by any means. If anything, it weakened them.

Wow. Powerful stuff there. Too bad these armchair experts are all dead wrong.

First, when we talk about MD5 being a poor and irresponsible choice for password hashing, we're talking about raw MD5. As in a single, unsalted iteration of MD5. As in md5($pass). And as the keen Ars reader will note, the reason this is a bad choice has nothing to do with any cryptographic weakness in the MD5 algorithm itself. It's simply because MD5 is very fast and very amenable to acceleration.

One of the ways we make an algorithm resistant to acceleration is to salt it and iterate it. And no, iterating a hash does not weaken it, that's utter horseshit. Iterating a hash is what almost all password hashing algorithms do, including all crypt(3) algorithms, PBKDF2, and even bcrypt.

Ars uses phpBB, which uses the Openwall PHPass password hashing algorithm, designed by none other than the venerable Solar Designer himself. PHPass uses salted and iterated MD5 to hash passwords. It is similar to md5crypt with some key differences, and even similar to PBKDF2 to some extent. And while it may not be the best choice for password hashing, it is a solid one.

To see just how solid PHPass is, let's look back at another famous breach which used PHPass: Forbes. Back in February, Forbes had 1,071,961 password hashes dumped by SEA. Out of those 1,071,961 password hashes, 1,071,734 were hashed using PHPass.

Now as the keen Ars reader will recall, normally us professional password crackers can get a public dump 85-95% cracked within a rather short period of time. And indeed, the 227 passwords that weren't hashed with PHPass were 100% cracked in just a few short minutes. But after 10 months, we currently only have the Forbes PHPass hashes 16.19% cracked. Yes, you read that correctly. We've only managed to crack 173,548 -- or 16.19% -- of the Forbes passwords, and most of those were Top 20K passwords.

If you want to put this into "OL Hashcat" terms, a single R9 290X can pull ~ 12.2 GH/s on raw MD5, but only 3 MH/s against PHPass. Divide that by 1,071,734 unique salts, and that means our effective speed is only 2.86 H/s. That's beyond properly slow. Multiply that by 100 GPUs and that's still only 286 H/s. We can't do very much with that, and that's why this list is only 16.19% cracked.

So obviously PHPass is pretty good at what it does, and Ars has done absolutely nothing wrong by using this algorithm. It is perfectly suitable for what this site is. I've said before that password hashing is like an insurance policy, and Ars has bought you ample time to change your passwords.

And that's the way it is.

 

[bmoresbest55]

Nice little write up. I used lastpass to update my password. Good luck in the future on any security threats.

 

[AM16]

The paragon of tech sites, thanks. Keep it up.

 

[HexRei]

I saw it at the time, the page with the "arse security" stuff and the two twitter accounts and frankly almost figured it must have been spyware on my side for a moment. Surprising.

 

[Deleted member 441963]

epixoip[/url]":skotwfb7]Hi everyone. This is noted password cracking expert and D-list Internet celebrity Jeremi Gosney.

Trust me: this guy is not kidding.

He's not kidding, he's a celebrity, on the intarwebs, on the internet and in security circles. Even I know him. We shook hands, but unless he remembers a 6'9" dutchman I doubt I made any impression. I'm not a celebrity. Just a BFG.

Change your password *now* because it's never a bad idea. But don't blame Ars. They did about the best they could.

 

[MyPasswordIs12345678]

So I have to change it from 12345678 to something else?

 

[Pluvia Arenae]

pqr[/url]":328q2ocg]

epixoip[/url]":328q2ocg]Hi everyone. This is noted password cracking expert and D-list Internet celebrity Jeremi Gosney. You might remember me from here, here, here, here, here, here, or even here or here.

I would like to take a minute to address some of the comments being made about the password hashing algorithm that is used by the forum software Ars is using. Let's have a look at some of those comments.

pk![/url]":328q2ocg]MD5, really? After having printed several articles on password cracking I'd have hoped you'd at least have leveraged a stronger hashing algorithm.

Abhi Beckert[/url]":328q2ocg]
2,048 iterations is not enough to prevent a brute force attack on MD5.

d0x[/url]":328q2ocg]
Seriously? Ars themselves have posted many articles about this very method of encrypted password storage to be easily breakable either via brute force or with rainbow tables.

Threz_[/url]":328q2ocg]One the one hand, Ars calls the use of MD5 hashes for storing passwords as "unfortunate and irresponsible", and on the other (above) uses it as a way to argue that the passwords were well-"encrypted." Which is it?

FF22[/url]":328q2ocg]
No wonder your server was hacked if you really thought running MD5 multiple thousand times over the password would harden the hashes by any means. If anything, it weakened them.

Wow. Powerful stuff there. Too bad these armchair experts are all dead wrong.

First, when we talk about MD5 being a poor and irresponsible choice for password hashing, we're talking about raw MD5. As in a single, unsalted iteration of MD5. As in md5($pass). And as the keen Ars reader will note, the reason this is a bad choice has nothing to do with any cryptographic weakness in the MD5 algorithm itself. It's simply because MD5 is very fast and very amenable to acceleration.

One of the ways we make an algorithm resistant to acceleration is to salt it and iterate it. And no, iterating a hash does not weaken it, that's utter horseshit. Iterating a hash is what almost all password hashing algorithms do, including all crypt(3) algorithms, PBKDF2, and even bcrypt.

Ars uses phpBB, which uses the Openwall PHPass password hashing algorithm, designed by none other than the venerable Solar Designer himself. PHPass uses salted and iterated MD5 to hash passwords. It is similar to md5crypt with some key differences, and even similar to PBKDF2 to some extent. And while it may not be the best choice for password hashing, it is a solid one.

To see just how solid PHPass is, let's look back at another famous breach which used PHPass: Forbes. Back in February, Forbes had 1,071,961 password hashes dumped by SEA. Out of those 1,071,961 password hashes, 1,071,734 were hashed using PHPass.

Now as the keen Ars reader will recall, normally us professional password crackers can get a public dump 85-95% cracked within a rather short period of time. And indeed, the 227 passwords that weren't hashed with PHPass were 100% cracked in just a few short minutes. But after 10 months, we currently only have the Forbes PHPass hashes 16.19% cracked. Yes, you read that correctly. We've only managed to crack 173,548 -- or 16.19% -- of the Forbes passwords, and most of those were Top 20K passwords.

If you want to put this into "OL Hashcat" terms, a single R9 290X can pull ~ 12.2 GH/s on raw MD5, but only 3 MH/s against PHPass. Divide that by 1,071,734 unique salts, and that means our effective speed is only 2.86 H/s. That's beyond properly slow. Multiply that by 100 GPUs and that's still only 286 H/s. We can't do very much with that, and that's why this list is only 16.19% cracked.

So obviously PHPass is pretty good at what it does, and Ars has done absolutely nothing wrong by using this algorithm. It is perfectly suitable for what this site is. I've said before that password hashing is like an insurance policy, and Ars has bought you ample time to change your passwords.

And that's the way it is.

Sure. Why assume salt is unknown? Typically it is in same DB as hash itself. (In other words effective speed is order Mhash/sec in targeted attack.)

He didn't assume the salt is unknown. What makes you think that he did?

 

[pqr]

Pluvia Arenae[/url]":3v9ehmq4]

pqr[/url]":3v9ehmq4]

epixoip[/url]":3v9ehmq4]Hi everyone. This is noted password cracking expert and D-list Internet celebrity Jeremi Gosney. You might remember me from here, here, here, here, here, here, or even here or here.

I would like to take a minute to address some of the comments being made about the password hashing algorithm that is used by the forum software Ars is using. Let's have a look at some of those comments.

pk![/url]":3v9ehmq4]MD5, really? After having printed several articles on password cracking I'd have hoped you'd at least have leveraged a stronger hashing algorithm.

Abhi Beckert[/url]":3v9ehmq4]
2,048 iterations is not enough to prevent a brute force attack on MD5.

d0x[/url]":3v9ehmq4]
Seriously? Ars themselves have posted many articles about this very method of encrypted password storage to be easily breakable either via brute force or with rainbow tables.

Threz_[/url]":3v9ehmq4]One the one hand, Ars calls the use of MD5 hashes for storing passwords as "unfortunate and irresponsible", and on the other (above) uses it as a way to argue that the passwords were well-"encrypted." Which is it?

FF22[/url]":3v9ehmq4]
No wonder your server was hacked if you really thought running MD5 multiple thousand times over the password would harden the hashes by any means. If anything, it weakened them.

Wow. Powerful stuff there. Too bad these armchair experts are all dead wrong.

First, when we talk about MD5 being a poor and irresponsible choice for password hashing, we're talking about raw MD5. As in a single, unsalted iteration of MD5. As in md5($pass). And as the keen Ars reader will note, the reason this is a bad choice has nothing to do with any cryptographic weakness in the MD5 algorithm itself. It's simply because MD5 is very fast and very amenable to acceleration.

One of the ways we make an algorithm resistant to acceleration is to salt it and iterate it. And no, iterating a hash does not weaken it, that's utter horseshit. Iterating a hash is what almost all password hashing algorithms do, including all crypt(3) algorithms, PBKDF2, and even bcrypt.

Ars uses phpBB, which uses the Openwall PHPass password hashing algorithm, designed by none other than the venerable Solar Designer himself. PHPass uses salted and iterated MD5 to hash passwords. It is similar to md5crypt with some key differences, and even similar to PBKDF2 to some extent. And while it may not be the best choice for password hashing, it is a solid one.

To see just how solid PHPass is, let's look back at another famous breach which used PHPass: Forbes. Back in February, Forbes had 1,071,961 password hashes dumped by SEA. Out of those 1,071,961 password hashes, 1,071,734 were hashed using PHPass.

Now as the keen Ars reader will recall, normally us professional password crackers can get a public dump 85-95% cracked within a rather short period of time. And indeed, the 227 passwords that weren't hashed with PHPass were 100% cracked in just a few short minutes. But after 10 months, we currently only have the Forbes PHPass hashes 16.19% cracked. Yes, you read that correctly. We've only managed to crack 173,548 -- or 16.19% -- of the Forbes passwords, and most of those were Top 20K passwords.

If you want to put this into "OL Hashcat" terms, a single R9 290X can pull ~ 12.2 GH/s on raw MD5, but only 3 MH/s against PHPass. Divide that by 1,071,734 unique salts, and that means our effective speed is only 2.86 H/s. That's beyond properly slow. Multiply that by 100 GPUs and that's still only 286 H/s. We can't do very much with that, and that's why this list is only 16.19% cracked.

So obviously PHPass is pretty good at what it does, and Ars has done absolutely nothing wrong by using this algorithm. It is perfectly suitable for what this site is. I've said before that password hashing is like an insurance policy, and Ars has bought you ample time to change your passwords.

And that's the way it is.

Sure. Why assume salt is unknown? Typically it is in same DB as hash itself. (In other words effective speed is order Mhash/sec in targeted attack.)

He didn't assume the salt is unknown. What makes you think that he did?

I edited meantime. His 'effective' speed 3M -> 3 has funny definition in my mind but it is clear how he got there. Originally I thought he divided assuming only set of salts is known but not which salt belongs to which user.

But fact remains - effective speed much higher than couple hashes/sec in targeted attacks, and some of us at least care for those.

 

[aaronspink]

JGJones[/url]":1qjfihc9]

Yes that's true. But a password generator can be adjusted for each site. I know about the Microsoft site being limited to 16, that's annoying. I generate a 16 character password and then go back to generating maximum length for other sites including those that allow for near-unlimited characters.

In ArsTechnica's case - you aren't limited in length so perhaps I should have been more accurate and said *for this site, go big!* ;-)

I've always found it a bit ridiculous that actually important and high value sites tend to have such limited password restrictions where as sites that are almost to the level of throwaway account access tend to have pretty much unlimited password restrictions.

I mean really, the average banking website has like a 12 character limit and many of those don't support most special characters. Lets be honest, for something like bank access 12 character should be the lower limit not the upper. Yet an Ars account password really isn't that valuable in the scheme of things and is almost unlimited.

The fact that a company like microsoft that SHOULD be concerned with security only supports 16 character passwords is just hilarious. While a limit is reasonable to have so people don't abuse it, setting a limit at 80-100 characters will cover 5 9s of all cases. The passwords I used before switching to automated password management were generally longer than 16 characters.

 

[inventurous]

phoenix_rizzen[/url]":2rmhxsid]

systemsready[/url]":2rmhxsid]Erm....what if you don't remember your password...?

Go into your browser settings, into the password manager, and show the password. Not that hard to do.

I thought this was a joke! Am I the only one who didn't know about this?!

Funny thing is, apparently the last time I was trying to remember my ars password on my phone, some kind of glitch kept copying the captcha into the username field and now I see that IE saved all 8 or so attempts as separate ars accounts.

Actually, now that I think about it, that "glitch" was probably the "remember username and password" function. Ah well, learned something new today.

 

[Aunty Dan]

leedo[/url]":2cj99tkk]

Aunty Dan[/url]":2cj99tkk]Is anyone else unable to change their password? Every time I try I get the error "You did not enter a confirm e-mail address" in red next to the "Update password" button.

I can change my password by using the "Forgotten password" reset function fine, but once set I can't change it to anything else because of this error.

Can you give this (old) profile page a try? ucp.php?i=172

Yes that worked thanks, although the first time through it deactivated my account, requiring an email confirmation to reactivate it and another password recovery.

 

[iPirateEverything]

Stick with the classics, because it's so well known people think nobody uses it anymore... keep your password as "password"