Ars was briefly hacked yesterday; here’s what we know

Readers, please change your passwords.

Read the whole story

 

[MattM]

while we know that md5+twothousandrandomsalts[x] is pretty weak, let us be realistic, nobody will have a hash table built for any of the random salts, so it's not going to reveal anyone's password (practically)

 

[Jim Z]

MattM[/url]":2sc75mqe]while we know that md5+twothousandrandomsalts[x] is pretty weak, let us be realistic, nobody will have a hash table built for any of the random salts, so it's not going to reveal anyone's password (practically)

possibly, but with Lastpass and it's "generate new password" it's easy enough where it's silly not to change it.

 

[bojesphob]

Funny thing is, I had forgotten mine a few months ago and had the system send me a new password that I never got a chance to change. So, now I actually have changed it to something that I'll actually remember!

 

[MattM]

Jim Z[/url]":3ct9plrb]

MattM[/url]":3ct9plrb]while we know that md5+twothousandrandomsalts[x] is pretty weak, let us be realistic, nobody will have a hash table built for any of the random salts, so it's not going to reveal anyone's password (practically)

possibly, but with Lastpass and it's "generate new password" it's easy enough where it's silly not to change it.

true, who knows what kind of additional weaknesses are exposed in the future in order to reduce the Time-Complexity of hashing algorithms. Probably not soon enough to expose this data as clear text, but eventually it may be cracked.

 

[Jim Z]

MattM[/url]":1ntwfk8f]

Jim Z[/url]":1ntwfk8f]

MattM[/url]":1ntwfk8f]while we know that md5+twothousandrandomsalts[x] is pretty weak, let us be realistic, nobody will have a hash table built for any of the random salts, so it's not going to reveal anyone's password (practically)

possibly, but with Lastpass and it's "generate new password" it's easy enough where it's silly not to change it.

I'm unaware of what that is, please enlighten me.

http://lmgtfy.com/?q=lastpass

 

[MattM]

oops, i edited my response, i actually took the time to digest what you said and it clicked

 

[sbear]

epixoip[/url]":2sbagu99]Hi everyone. This is noted password cracking expert and D-list Internet celebrity Jeremi Gosney. You might remember me from here, here, here, here, here, here, or even here or here.

I would like to take a minute to address some of the comments being made about the password hashing algorithm that is used by the forum software Ars is using. Let's have a look at some of those comments.

pk![/url]":2sbagu99]MD5, really? After having printed several articles on password cracking I'd have hoped you'd at least have leveraged a stronger hashing algorithm.

Abhi Beckert[/url]":2sbagu99]
2,048 iterations is not enough to prevent a brute force attack on MD5.

d0x[/url]":2sbagu99]
Seriously? Ars themselves have posted many articles about this very method of encrypted password storage to be easily breakable either via brute force or with rainbow tables.

Threz_[/url]":2sbagu99]One the one hand, Ars calls the use of MD5 hashes for storing passwords as "unfortunate and irresponsible", and on the other (above) uses it as a way to argue that the passwords were well-"encrypted." Which is it?

FF22[/url]":2sbagu99]
No wonder your server was hacked if you really thought running MD5 multiple thousand times over the password would harden the hashes by any means. If anything, it weakened them.

Wow. Powerful stuff there. Too bad these armchair experts are all dead wrong.

First, when we talk about MD5 being a poor and irresponsible choice for password hashing, we're talking about raw MD5. As in a single, unsalted iteration of MD5. As in md5($pass). And as the keen Ars reader will note, the reason this is a bad choice has nothing to do with any cryptographic weakness in the MD5 algorithm itself. It's simply because MD5 is very fast and very amenable to acceleration.

One of the ways we make an algorithm resistant to acceleration is to salt it and iterate it. And no, iterating a hash does not weaken it, that's utter horseshit. Iterating a hash is what almost all password hashing algorithms do, including all crypt(3) algorithms, PBKDF2, and even bcrypt.

Ars uses phpBB, which uses the Openwall PHPass password hashing algorithm, designed by none other than the venerable Solar Designer himself. PHPass uses salted and iterated MD5 to hash passwords. It is similar to md5crypt with some key differences, and even similar to PBKDF2 to some extent. And while it may not be the best choice for password hashing, it is a solid one.

To see just how solid PHPass is, let's look back at another famous breach which used PHPass: Forbes. Back in February, Forbes had 1,071,961 password hashes dumped by SEA. Out of those 1,071,961 password hashes, 1,071,734 were hashed using PHPass.

Now as the keen Ars reader will recall, normally us professional password crackers can get a public dump 85-95% cracked within a rather short period of time. And indeed, the 227 passwords that weren't hashed with PHPass were 100% cracked in just a few short minutes. But after 10 months, we currently only have the Forbes PHPass hashes 16.19% cracked. Yes, you read that correctly. We've only managed to crack 173,548 -- or 16.19% -- of the Forbes passwords, and most of those were Top 20K passwords.

If you want to put this into "OL Hashcat" terms, a single R9 290X can pull ~ 12.2 GH/s on raw MD5, but only 3 MH/s against PHPass. Divide that by 1,071,734 unique salts, and that means our effective speed is only 2.86 H/s. That's beyond properly slow. Multiply that by 100 GPUs and that's still only 286 H/s. We can't do very much with that, and that's why this list is only 16.19% cracked.

So obviously PHPass is pretty good at what it does, and Ars has done absolutely nothing wrong by using this algorithm. It is perfectly suitable for what this site is. I've said before that password hashing is like an insurance policy, and Ars has bought you ample time to change your passwords.

And that's the way it is.

I love you.

 

[ketterling]

"At 20:00 CT on December 14, an Internet intruder gained access to one of the Ars Web servers..."

How did you know he gained access at that time?

 

[sbear]

ketterling[/url]":1d6n16c2]"At 20:00 CT on December 14, an Internet intruder gained access to one of the Ars Web servers..."

How did you know he gained access at that time?

Server logs?

 

[inventurous]

JademusSreg[/url]":1srwla3e]Enjoyed the technical detail provided by epixoip quite a bit, would very much appreciate similarly in-depth yet casually nuanced expert appendices, perhaps as a more permanent feature. Either way, though, warms my core with a reverential tingle when promoted comments reveal the breadth of Ars and its readership.

Regarding the tangent-topic eulogizing today's fallen passwords, manager-generated strings are nice, but sometimes one needs a pass which is both strong and easy to recall. Given the advance of dictionary attacks (and its myriad combinatorial offspring), I personally prefer to use absurdly loquacious pass-phrases which enjoy the benefit of mneumonic technique by virtue of their humor.

As an example, if one takes that last clause and runs it through the zxcvbn password evaluation demo from Dropbox's tech blog, its analysis claims the phrase (I personally prefer to use absurdly loquacious pass-phrases which enjoy the benefit of mneumonic technique by virtue of their humor.) yields an estimated crack time of around 2.9·10¹⁰⁰ years and contains about 372 bits entropy. Of course, this requires a given service effectively permits arbitrarily long passwords and, while most don't, fortunately those services' account which one might need to access under any|every circumstance (email, cloud storage, pass-managers) tend to set the char-bar rather high.

"loquacious mneumonic" alone yields 87 entropy/centuries to crack

 

[haar]

Changed... Even though the password was one that was auto generated via the password forgotten function... it other words, not used anywhere else.

BTW, ars technica should notify all the other company's/sites in the contè naste family... They are probably being targeted...

 

[bowditch]

I was actually a little excited to see the hack page up in place of your home page the other day - not that I wished ill on Ars Technica, but because that would mean we'd get a good article on how it happened and where the weaknesses were.

I didn't realize that I'd also get some schooling on the pros and cons of various password hashing algorithms - that was an added bonus.

Thanks for the coverage.

 

[viatori]

Should I change my password?

The hackers are not really limited by the amount of time it takes to crack it because they could easily rent virtual machine instances on Amazon's web services or potentially even the Bitcoin mining pools. The Bitcoin mining pools collectively can do in a day what would take a desktop 10,000 years (although it costs on the order of a $1M a day in electricity to do it). So the limiting factor is not time, it's money. If they spent $10^17 they could crack my 16 character password, most of that being the cost of energy (entropy = energy = dollars).

Yeah, I know Bitcoin mining uses SHA-256 specific ASICs now that can't be harnessed for MD-5, but there are bunch of graphics cards in Litecoin pools that could be harnessed theoretically but I don't have the numbers for those. As an aside, the scrypt ASICs in Litecoin pools could be harnessed for cases where scrypt was used for password hashing. And no, harnessing mining pools is not practical in the real world, at least for the time being.

 

[fryhole]

The hacker didn't have long to drink all the booze and hack all the things, fortunately; by 14:29, our technical team had removed the defaced page and restored normal Ars operations. We spent the afternoon changing all internal passwords and certificates and hardening server security even further.

Did you managed to move the poorly located backup file to a more seecure location ?

 

[boondox]

jonfr[/url]":3sfoc7oa]Changing email address is also something that should be considered. Since those often end up on pay-for-spam list that are sold on the black internet market. I had just updated my email address here due to spam problem from older (different websites) hacks that resulted in me getting tons of spam emails every day.

I use disposable webmail accounts (d.w.a.) for my Ars login as I'm not a subscriber. I'm just here to comment on the occasional story. That way, I avoid spam and phishes. I do the same for most of my online "commentary" needs and for other websites, using a different d.w.a. for most.

All I did today was change my uniquely created Ars password to another one. If the old password gets cracked I'd only be at risk for impersonation here at Ars and nowhere else.

All told, this is why I like Ars: the commentary. They're filled with tutorials, links and asides that make reading all the comment pages worthwhile.

One other thing that occured to me: does Ars log IPs?
If they do, would the attackers have gotten access to those?
Wouldn't a mapping of IPs to email addresses & logins be just as useful as a mapping of emails & passwords, especially if preparing for a future "waterhole" attack against frequent Ars readers?

I dunno... maybe I'm overcomplicating things...

edited to add "One other thing..."

 

[infected]

pqr[/url]":1te52s31]

uhuznaa[/url]":1te52s31]Any idea how the hacker got in in the first place? What OS do you run on that server and which hole he crept in through? THAT would make a nice read...

I heard it was combination of inside job and North Korean hackers...

Just for fun... the article in dodgy korean-english...

Coming in 14th at 20:00 CST Internet intruders try to get more from the Web server to a central computer to get access to one of Asda web server spent the next hour. At 20:52, a successful attempt was wrong thanks to information gathered from the backup file. In the following days, 14:13, hackers replaced the Web pages returned dual-core band page defacement streaming songs from the main opening to a central server. The song, "All Things" has a chorus:

Drink all the booze
Hacking the whole thing!

Hackers Fortunately, I did not drink all the booze long hack everything; By 14:29, our technical team to remove the damaged page, and restore normal Asda jobs. We change all passwords and certificates inside and spent the afternoon to further secure server.

It is recommended that the log file shows the hacker movement through our servers he or she has the opportunity to copy the user database. The database is not included in your payment information on asbestos subscribers, but include your e-mail address and password. The password is, however, (using the 2048 iteration of the MD5 algorithm, marinated in a random sequence of letters of salt) are stored in hash form.

Care of the excess, we strongly readers, especially other, a re-opening of their password on more sensitive sites - we all Asda today to change their password.

We do not provide a complete autopsy of hacking and continue to update when new things to light. Thanks to all who provide support!

 

[ketterling]

sbear[/url]":933wu6jn]

ketterling[/url]":933wu6jn]"At 20:00 CT on December 14, an Internet intruder gained access to one of the Ars Web servers..."

How did you know he gained access at that time?

Server logs?

More specific?

 

[THavoc]

ketterling[/url]":35euzg8p]

sbear[/url]":35euzg8p]

ketterling[/url]":35euzg8p]"At 20:00 CT on December 14, an Internet intruder gained access to one of the Ars Web servers..."

How did you know he gained access at that time?

Server logs?

More specific?

More specific? ummm, what? If you don't know what a server log is, Here's good Wikipedia article to help educate you:

http://en.wikipedia.org/wiki/Server_log

Dunno how you can get more specific than that. Perhaps you were the hacker and you've created a new name to try to get more information?

Yeah, no suspicion there...

 

[perholmes]

I'd really love to get more specifics about the attack vector. Because once thing is to do some SQL injection, another is to gain what I assume is SSH access, presumably with a certificate, or running bash via an unpatched Shellshock.

What was the attack vector? Maybe I feel the same as driving by an accident scene. I want to know if there's a precaution I'm not taking well enough.

 

[operagost]

THavoc[/url]":1e4qrqkn]

psiu_glen[/url]":1e4qrqkn]Guess I'll change the combination password on my luggage, too.

Yeah, 1234 is not a good idea. Try 4321.

I use hunter2. Well, now it's hunter3.

 

[THavoc]

operagost[/url]":1amwlm80]

THavoc[/url]":1amwlm80]

psiu_glen[/url]":1amwlm80]Guess I'll change the combination password on my luggage, too.

Yeah, 1234 is not a good idea. Try 4321.

I use hunter2. Well, now it's hunter3.

Sweet! Now I can log into ARS as you!

Time to post some nudie pics.

 

[DCRoss]

Sad. Now I can't use the password "173467321476C32789777643T732V73117888732476789764376Lock" any more.

The really hard part was having to type it in Patrick Stewart's voice every time.

 

[THavoc]

DCRoss[/url]":23cpx5bw]Sad. Now I can't use the password "173467321476C32789777643T732V73117888732476789764376Lock" any more.

The really hard part was having to type it in Patrick Stewart's voice every time.

Do like I do. Hire him to do voice overs when I'm entering a new password.

 

[Duck Dastardly]

"Out of an excess of caution, we strongly encourage all Ars readers—especially any who have reused their Ars passwords on other, more sensitive sites—to change their passwords today."

I couldn't tell MD5 from MDF, but surely changing their password on this site now won't make much difference if they have used the same password on other sites? Or did the article mean that they should change all their passwords associated with the email account they used to register here?

 

[epixoip]

locolocol[/url]":2iuy43yd]

epixoip[/url]":2iuy43yd]Hi everyone. This is noted password cracking expert and D-list Internet celebrity Jeremi Gosney. You might remember me from here, here, here, here, here, here, or even here or here.

Ha, when I read this, I immediately thought of:
Hi! I'm Troy McClure, you may remember me from such films as...

Yes, that was the joke

 

[weathertop]

epixoip[/url]":3m7jknd7]

locolocol[/url]":3m7jknd7]

epixoip[/url]":3m7jknd7]Hi everyone. This is noted password cracking expert and D-list Internet celebrity Jeremi Gosney. You might remember me from here, here, here, here, here, here, or even here or here.

Ha, when I read this, I immediately thought of:
Hi! I'm Troy McClure, you may remember me from such films as...

Yes, that was the joke

Mixed in with a little Dr. Nick?

Missed opportunity on the Ars staff side: Good news, everybody! You get to change your passwords. Again. For the eleventy-billionth time this year.

 

[g3s17h87]

This article finally has caused me to do it. After being a long-time reader of Ars, I've decided to sign up so I can write responses/replies to the intriguing articles I enjoy reading daily and also to the mostly knowledgeable commentators. (Not that I am one by any means...)

So I was pretty dang curious about the article headlined on this page when I first saw it. Being a computer security enthusiast myself, I was surprised to see a tech-based website being hacked. As far as I can tell there is not much leverage to gain by doing so as the most visibly, valuable stuff on here is information. So I went on ahead and read what was mostly a straight-forward if not humbly written article. So blah blah blah I went on down to the comments. Any regular visitor knows that there are trolls, experts, 'armchair experts', casual readers with casual responses, and all other kinds of people out there with opinions happy to share them for any reason at all. That's when I remember why I love this site....

If you've read this comment then chances are you have read what user 'epixoip' has had to say. And it is because of him I am also writing today. I love this shit!!!! Ars, your site, your news, your articles, your overall treasure of information that directly appeals to my soul of being is why I am here. Sure this referenced article was short but I don't care. This place attracts like minded people and I fucking love reading what others have to say. The knowledge in your articles is top-notch. Then the people that come here, read and respond always take it a step further. This place is like impromptu school for geeks. Every time I finish reading the articles and the associated comments, I leave feeling enriched and more knowledgeable. Gawd I love you guys. - Even the trolls who comment bogus shit. I don't know it all but when I see someone bashing down imaginary troll logic with the real deal, it makes me feel warm inside. Everything on here... it's all good

 

[BadSuperblock]

I really don't think it's necessary to change my password. What's the worst that could happen? Death to the running dogs of the imperialist Western powers!

 

[steell]

Violynne[/url]":6hy00xmg]No need to change my password. It's unique to this site and there's absolutely no personal information stored on the account.

However, if I seemingly start to troll this site by making comments which seem out of the ordinary, I give Ars full permission to ban/delete the account.

It's not as though I post much anyway.

Compared to me, you're a rabid jabberbox!

See join date and post count

 

[weathertop]

g3s17h87[/url]":3r1rlz0n]This article finally has caused me to do it. After being a long-time reader of Ars, I've decided to sign up so I can write responses/replies to the intriguing articles I enjoy reading daily and also to the mostly knowledgeable commentators. (Not that I am one by any means...)

So I was pretty dang curious about the article headlined on this page when I first saw it. Being a computer security enthusiast myself, I was surprised to see a tech-based website being hacked. As far as I can tell there is not much leverage to gain by doing so as the most visibly, valuable stuff on here is information. So I went on ahead and read what was mostly a straight-forward if not humbly written article. So blah blah blah I went on down to the comments. Any regular visitor knows that there are trolls, experts, 'armchair experts', casual readers with casual responses, and all other kinds of people out there with opinions happy to share them for any reason at all. That's when I remember why I love this site....

If you've read this comment then chances are you have read what user 'epixoip' has had to say. And it is because of him I am also writing today. I love this shit!!!! Ars, your site, your news, your articles, your overall treasure of information that directly appeals to my soul of being is why I am here. Sure this referenced article was short but I don't care. This place attracts like minded people and I fucking love reading what others have to say. The knowledge in your articles is top-notch. Then the people that come here, read and respond always take it a step further. This place is like impromptu school for geeks. Every time I finish reading the articles and the associated comments, I leave feeling enriched and more knowledgeable. Gawd I love you guys. - Even the trolls who comment bogus shit. I don't know it all but when I see someone bashing down imaginary troll logic with the real deal, it makes me feel warm inside. Everything on here... it's all good

Woah, woah, settle down sparky. Need a towel? Maybe some Gatorade? I mean, some of us do like to be taken out for drinks, shown a good time before the ILUs come. It's just all too much for us. :bigdumbgrin:

 

[THavoc]

weathertop[/url]":1j3sx3re]

g3s17h87[/url]":1j3sx3re]This article finally has caused me to do it. After being a long-time reader of Ars, I've decided to sign up so I can write responses/replies to the intriguing articles I enjoy reading daily and also to the mostly knowledgeable commentators. (Not that I am one by any means...)

So I was pretty dang curious about the article headlined on this page when I first saw it. Being a computer security enthusiast myself, I was surprised to see a tech-based website being hacked. As far as I can tell there is not much leverage to gain by doing so as the most visibly, valuable stuff on here is information. So I went on ahead and read what was mostly a straight-forward if not humbly written article. So blah blah blah I went on down to the comments. Any regular visitor knows that there are trolls, experts, 'armchair experts', casual readers with casual responses, and all other kinds of people out there with opinions happy to share them for any reason at all. That's when I remember why I love this site....

If you've read this comment then chances are you have read what user 'epixoip' has had to say. And it is because of him I am also writing today. I love this shit!!!! Ars, your site, your news, your articles, your overall treasure of information that directly appeals to my soul of being is why I am here. Sure this referenced article was short but I don't care. This place attracts like minded people and I fucking love reading what others have to say. The knowledge in your articles is top-notch. Then the people that come here, read and respond always take it a step further. This place is like impromptu school for geeks. Every time I finish reading the articles and the associated comments, I leave feeling enriched and more knowledgeable. Gawd I love you guys. - Even the trolls who comment bogus shit. I don't know it all but when I see someone bashing down imaginary troll logic with the real deal, it makes me feel warm inside. Everything on here... it's all good

Woah, woah, settle down sparky. Need a towel? Maybe some Gatorade? I mean, some of us do like to be taken out for drinks, shown a good time before the ILUs come. It's just all too much for us. :bigdumbgrin:

Speak for yourself. I'm a cheap date!

 

[donovan1983]

Thank you for letting all your users know about this, Ars. It motivated me to change my password here and a few other websites, some to completely random ones (thanks iCloud Keychain). From what has been posted here it seems unlikely that our passwords are actually compromised but I'd rather not tempt fate.

 

[DKlimax]

Bit surprising there was no alert for those attempts to gain access to "more central" server. (Sounds like repeated login attempts)

Will be interesting to know full description of attack.

 

[TheMerricat]

ketterling[/url]":3nir3kya]

sbear[/url]":3nir3kya]

ketterling[/url]":3nir3kya]"At 20:00 CT on December 14, an Internet intruder gained access to one of the Ars Web servers..."

How did you know he gained access at that time?

Server logs?

More specific?

She stopped by for a bit of tea and dropped off her journal for some slam poetry reading before heading out. It said on page 14, with little Wolverine scribbles surrounding it, "At 20:00 CT on December 14, I gained access to one of the Ars Web servers. BTW what is up with all the people assuming I'm a male?"

Then they all had a good laugh and then she left.

 

[King_DuckZ]

Oh well... *fires up keepassx, hits the Generate button* there you go!

 

[DigginIn]

Thank you

 

[inventurous]

Ars was hacked?!! Just received an email notification about it, suggesting I change my password!

 

[Seyss]

lol noobs

 

[seajack0]

Why isn't this pinned to the front page? You guys always vilify other companies for allowing themselves to be hacked and smear it all over the front page, only to bury your own site getting hacked in the sidebar. What gives? Also, MD5? What is this, 2004?

 

[Xeric]

Who gives a crap? I don't re-use passwords and the email I use for registration on sites is for spam; no real name, etc.

Enjoy my pseudonymous trash.