Stories
Slash Boxes
Comments

SoylentNews is people

posted by LaminatorX on Wednesday December 17 2014, @01:22PM   Printer-friendly
from the How-rude! dept.

Ars Technica - Ars was Briefly Hacked Yesterday

At 20:00 CT on December 14, an Internet intruder gained access to one of the Ars Web servers and spent the next hour attempting to get from the Web server to a more central machine. At 20:52, the attempt was successful thanks to information gleaned from a poorly located backup file. The next day, at 14:13, the hacker returned to the central server and replaced the main Ars webpage with a defacement page that streamed a song from the band Dual Core.

Given there may be some crossover between the Ars Technica community and SN, just a brief note to highlight this piece:

Log files show the hacker's movements through our servers and suggest that he or she had the opportunity to copy the user database. This database contains no payment information on Ars subscribers, but it does contain user e-mail addresses and passwords. Those passwords, however, are stored in hashed form (using 2,048 iterations of the MD5 algorithm and salted with a random series of characters).

Out of an excess of caution, we strongly encourage all Ars readers—especially any who have reused their Ars passwords on other, more sensitive sites—to change their passwords today.

Just a heads up for infrequent Ars visitors that may have an account there.

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Insightful) by VLM on Wednesday December 17 2014, @02:21PM

    by VLM (445) Subscriber Badge on Wednesday December 17 2014, @02:21PM (#126861)

    BS dropping #1: if the absolute minimum amount of time you were owned is 18 hours, only a .gov or .com employee could claim thats a brief part of a day. Due to peculiar overlap of schedules etc I think I wasn't even awake 18 hours yesterday. Brief would have the story read like, ... and at 20:01 CT the IDS went batshit insane paging the entire universe and we went in full airgap lockdown mode until the hole was found and patched and the automation system (puppet or chef or whatever) rebuilt all system images.

    BS dropping #2: they claim that passwords are stored basically responsibly and rainbow table proof so you need to change your password. Someone is full of BS. A nation state who really like Dual Core. Wikipedia has censored their article for Dual Core because they're idiotic small minded jerks in general (why I'll never give them a penny of money) although I've found two Dual Core bands, one out of Israel and one out of UK so either Israel or UK have nation state capability to break the strongest password storage techniques currently known, and also have bad taste in music which would tend to imply the attack came from Israel. Or Ars is lying to everyone and they store passwords in plain text and no one will know unless they also break in and look at source and database. Either way this is steaming pile #2 of #2.

    Also if you're going to sit on stories in the queue for two days, edit them before posting, so the real world "yesterday" matches the story "yesterday". This all went down last Sunday more or less, not yesterday. Editors generally do a heroic thankless job blah blah I'm just filing a wishlist bug here, if I was trying to flame you, you'd know.

    • (Score: 5, Insightful) by Sir Garlon on Wednesday December 17 2014, @02:51PM

      by Sir Garlon (1264) on Wednesday December 17 2014, @02:51PM (#126886)

      I am getting pretty disgusted with Soylent lately because the first comment on every article is someone crowing, "This is BS." Usually, as in thie case, that someone does not know what he's talking about, as I will now demonstrate.

      Item 1: According to the Verizon 2014 Data Breach Investigations Report [verizonenterprise.com](Figure 29, p. 22), more than two-thirds of data breaches take weeks or longer to discover, so 18 hours is pretty damned brief as intrusions go. As for that fantasy about your IDS triggering an airgap lockdown: no one would set up such a system, because it would be monumentally stupid to execute a total denial-of-service attack on yourself at the first sign of an intrusion.

      Moving on to Item 2, parent knows as much about cryptography as he does about incident response. It it too early to conclude that the attacker *didn't* exfiltrate the salted hashes of user passwords, and satled hashes are crackable. It just takes longer. So safe password practices will never mean your passwords are immune to disclosure; only that an attacker needs to spend more time and effort to get those passwords, and you may have a few hours' or days' grace period in which to change your passwords. It's hard to say what the attacker wanted, but in my opinion passwords are a reasonably high-value target, so changing passwords is good advice.

      As to the Dual Core stuff, *of course* a nation state or professional attacker would want you to think he was just an idiot script kiddie. The real question is why the attacker bothered to deface the site at all. Either he was just a script kiddie out for the lulz, which is quite possible, or he wanted everyone to think that he was.

      Trying to make yourself look smart by heaping abuse on an article, its submitter, and Soylent is not +1 Insightful.

      --
      [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
      • (Score: 2) by mojo chan on Wednesday December 17 2014, @10:42PM

        by mojo chan (266) on Wednesday December 17 2014, @10:42PM (#127011)

        I'm forced to agree. Soylent is getting worse than Slashdot, incredibly.

        Well, it's polarised. Sometimes much better, sometimes much worse. I suppose that's due to the small user base.

        --
        const int one = 65536; (Silvermoon, Texture.cs)
      • (Score: 2) by jcd on Thursday December 18 2014, @02:13AM

        by jcd (883) on Thursday December 18 2014, @02:13AM (#127054)

        This is what I'd planned on saying this morning. I feel like everyone waits for articles here to see what holes they can stab in them and what insults they can throw at the author/editor.

        If we could stick to being a bit more positive, and maybe even actually discuss the content of the articles, we could have a much more enjoyable community.

        --
        "What good's an honest soldier if he can be ordered to behave like a terrorist?"
        • (Score: 0) by Anonymous Coward on Thursday December 18 2014, @03:46AM

          by Anonymous Coward on Thursday December 18 2014, @03:46AM (#127065)

          Not everyone. Just a handful, there is a pattern.

    • (Score: 2) by martyb on Wednesday December 17 2014, @03:18PM

      by martyb (76) Subscriber Badge on Wednesday December 17 2014, @03:18PM (#126895) Journal

      This comment [arstechnica.com], included in TFA, suggests that the security measures for Ars Technica were quite adequate. I found the comment extremely well-written and backed with actual data. I highly recommend reading it in its entirety.

      tl;dr summary:

      Back in February, Forbes had 1,071,961 password hashes dumped by SEA. Out of those 1,071,961 password hashes, 1,071,734 were hashed using PHPass.

      [...]

      If you want to put this into "OL Hashcat [arstechnica.com]" terms, a single R9 290X can pull ~ 12.2 GH/s on raw MD5, but only 3 MH/s against PHPass. Divide that by 1,071,734 unique salts, and that means our effective speed is only 2.86 H/s. That's beyond properly slow. Multiply that by 100 GPUs and that's still only 286 H/s. We can't do very much with that, and that's why this list is only 16.19% cracked.

      So obviously PHPass is pretty good at what it does, and Ars has done absolutely nothing wrong by using this algorithm. It is perfectly suitable for what this site is. I've said before that password hashing is like an insurance policy, and Ars has bought you ample time to change your passwords.

      --
      Wit is intellect, dancing.
    • (Score: 2) by juggs on Thursday December 18 2014, @05:09AM

      by juggs (63) on Thursday December 18 2014, @05:09AM (#127081) Journal

      The SN title reference to "yesterday" was taken from the Ars article headline of "Ars was briefly hacked yesterday; here’s what we know".

      If you look at the Ars article in question you will note it was posted "by Ars Staff - Dec 16, 2014 9:52 pm UTC

      I submitted my SN article in the wee small hours of Dec 17 UTC, presumably Blackmoore submitted slightly earlier. So just a handful of hours elapsed between Ars posting the announcement and us picking it up.

      The Ars reference to "yesterday" seems to refer to the relative time the hacker returned and carried out the site defacement rather than the initial breach, so please feel free to head over to Ars and nit-pick them on that detail.

      My motivation for my submittal was to alert Ars account holders who may only visit once a week or once a month and may not have seen the announcement. I've no idea if Ars sent out email notifications as well as I don't have an account there. It benefits us all to spread this sort of notification, even if delayed beyond your tolerance for timeliness.

      As always, you're invited to submit your own timely articles or volunteer your time to bolster the ranks of those working to keep SN ticking.

  • (Score: 1) by MorbidBBQ on Wednesday December 17 2014, @02:28PM

    by MorbidBBQ (3210) on Wednesday December 17 2014, @02:28PM (#126867)

    They stole the password hashes. If a proper algorithm was used, this would be less cause for concern (on a scale of 1/10 to 0.5/10).
    MD5 has known security vulnerabilities https://crackstation.net/hashing-security.htm [crackstation.net], and should not be used for password storage.
    Is the salted data still secure, or were they able to get that file/method of random generation?

    On another note, I hate when websites don't let me use a "+" in my email address. That makes it much easier to see what website sold or lost my data.

    • (Score: 2) by Nerdfest on Wednesday December 17 2014, @02:44PM

      by Nerdfest (80) on Wednesday December 17 2014, @02:44PM (#126879)

      Repeated iterations and random salt is good enough for what that password is used for. Yes, a targeted attack on a single user with a lot of hardware thrown at it could probably get the password eventually. They do much better with their security than most people do.

      If you get your own domain, you can use aliases instead of GMail's "+" feature. Always nice to be decoupled from you email provider anyway. But yeah, I think the "+" is supposed to be allowed by the spec for email addresses. It should work everywhere.

      • (Score: 0) by Anonymous Coward on Wednesday December 17 2014, @03:26PM

        by Anonymous Coward on Wednesday December 17 2014, @03:26PM (#126900)

        The problem with gmail's implementation of + is that it still exposes your "real" account. Since gmail is so ubiquitous the '+' trick is too well known. Anyone can just strip the '+' from any gmail addresses and get the root address. It would help if they assigned a random base to put before the '+' that was not a valid address in and of itself. Ideally though, there would be no commonality between addresses at all in order to prevent companies like BlueKai from using the email address as a primary key for their profiling databases.

        • (Score: 0) by Anonymous Coward on Thursday December 18 2014, @12:42AM

          by Anonymous Coward on Thursday December 18 2014, @12:42AM (#127042)

          I think the idea is to know which site lost the data, not to protect the root email.

    • (Score: 2) by gman003 on Wednesday December 17 2014, @05:52PM

      by gman003 (4155) on Wednesday December 17 2014, @05:52PM (#126947)

      2K iterations of salted MD5 is sufficient for storing passwords. It's not the best, but it's plenty good enough, especially for just a comment system.

      To quote someone who knows more than I: [arstechnica.com]

      To see just how solid PHPass is, let's look back at another famous breach which used PHPass: Forbes. Back in February, Forbes had 1,071,961 password hashes dumped by SEA. Out of those 1,071,961 password hashes, 1,071,734 were hashed using PHPass.

      Now as the keen Ars reader will recall, normally us professional password crackers can get a public dump 85-95% cracked within a rather short period of time. And indeed, the 227 passwords that weren't hashed with PHPass were 100% cracked in just a few short minutes. But after 10 months, we currently only have the Forbes PHPass hashes 16.19% cracked. Yes, you read that correctly. We've only managed to crack 173,548 -- or 16.19% -- of the Forbes passwords, and most of those were Top 20K passwords.

      If you want to put this into "OL Hashcat" terms, a single R9 290X can pull ~ 12.2 GH/s on raw MD5, but only 3 MH/s against PHPass. Divide that by 1,071,734 unique salts, and that means our effective speed is only 2.86 H/s. That's beyond properly slow. Multiply that by 100 GPUs and that's still only 286 H/s. We can't do very much with that, and that's why this list is only 16.19% cracked.

      So obviously PHPass is pretty good at what it does, and Ars has done absolutely nothing wrong by using this algorithm. It is perfectly suitable for what this site is. I've said before that password hashing is like an insurance policy, and Ars has bought you ample time to change your passwords.

      • (Score: 1) by MorbidBBQ on Wednesday December 17 2014, @06:54PM

        by MorbidBBQ (3210) on Wednesday December 17 2014, @06:54PM (#126962)

        Ars has done a good job with transparency, and comment resolution.
        How many other companies release their methods of password database security?

        Disclaimer: I Am Not A Security Expert - Just an Ars Technica Reader.

        • (Score: 0) by Anonymous Coward on Wednesday December 17 2014, @07:43PM

          by Anonymous Coward on Wednesday December 17 2014, @07:43PM (#126976)

          This is a very good point. This is nasty stuff but pretending it never happened would only make it so much worse. Much better to admit that the Pandorra's box is wide open.

          (In the past I though for some reason that Ars isn't that interesting but lately I've changed that opinion quite radically.)

    • (Score: 0) by Anonymous Coward on Wednesday December 17 2014, @06:15PM

      by Anonymous Coward on Wednesday December 17 2014, @06:15PM (#126953)

      "md5(password)" is weak, but "repeat(md5(password+salt), 1000)" is not. There is nothing wrong with the algorithm, just with the way crypto-naieve people use it.

  • (Score: 0) by Anonymous Coward on Wednesday December 17 2014, @02:38PM

    by Anonymous Coward on Wednesday December 17 2014, @02:38PM (#126875)

    At what point do we look at the system as fundamentally broken and decide to try new protocols which change the way the Internet works to be more secure / identify users? (No, the Ars hack alone isn't responsible... But if neither the megacorporations nor the small players can keep their systems secure, what hope do we have?)

  • (Score: 0) by Anonymous Coward on Wednesday December 17 2014, @02:45PM

    by Anonymous Coward on Wednesday December 17 2014, @02:45PM (#126881)

    Foot meet bullet...

  • (Score: 0) by Anonymous Coward on Wednesday December 17 2014, @02:49PM

    by Anonymous Coward on Wednesday December 17 2014, @02:49PM (#126884)

    The more common form is "out of an abundance of caution". Either way, it's a noxious verbiage, like that stupid "make no mistake". Don't write like a marketing moron.

    • (Score: 0) by Anonymous Coward on Wednesday December 17 2014, @03:19PM

      by Anonymous Coward on Wednesday December 17 2014, @03:19PM (#126896)

      That was a direct quote from the Ars Technica article & mdash; you might want to direct your comment to them. =)

    • (Score: 0) by Anonymous Coward on Thursday December 18 2014, @07:38PM

      by Anonymous Coward on Thursday December 18 2014, @07:38PM (#127238)

      And so what phraseology sounds correct in form and tone when you are making it clear a measure is recommended only to be careful and not because of an imeediate threat? Make no mistake, criticizing others is easy if you aren't required to provide better alternatives.