Please change your passwords

[FliesLikeABrick]

Due to the hole in the Soldat Dedicated Server software, the some parts of the database server were compromised via Soldat Servers hosted on the same physical machine as the forums.  Though they are encrypted (md5 hashed), weak passwords can be figured out using a number of tools available online.

Please change your passwords as soon as possible.  While this may no longer be a threat (the holes used to gain access were closed),   your passwords may still be in the possession of the same people who create hacks for Soldat.

They did not do anything malicious with the access they gained, though I'm guessing you don't want your passwords known by someone else.

Many measures have been taken to ensure that this does not happen again, and I'm working with numerous professional sysadmins to inspect the security of the server that was compromised.

If you would like more information on what happened, please post here, PM, or e-mail me.  There are some details that I would not like to reveal, though the holes related to those details have been fixed.

Ultimately, it was due to the remote access hole in the dedicated server before version 2.5.4.  Thank you very much to EnEsCe for fixing that as quickly as he did.

[mar77a]

Question, did the "hackers" found this ages ago or just lately?

[FliesLikeABrick]

Question, did the "hackers" found this ages ago or just lately?

They only found this hole in the server a day or two (I believe) before NSC fixed it.  It was definitely not a long time


edit: I just want to share that I knew that the hackers gained access to some things very shortly after they did it, and I promptly close the holes they used to gain that access.  I haven't posted about this until now because it wasn't until today that I knew enough to post about what happened and to be able to answer questions about it.

[ElephantHunter]

Remember when you change your password, to include at least one special character and two numbers. Make up something funny and easy to remember!

Examples:
4sex$2
wha!?11

[FliesLikeABrick]

Capital letters are always good too.  Adding one or two capital letters or symbols makes the password take many, many times longer to break, because each character then could be one of 52 or 80 things, instead of just 26

[User No. 2]

FliesLikeABrick md5 is nowadays relate low protection hash for security things like storing passwords in database, because as you mention there are exists md5 hashes databases, which potentially can use person who has access to hashes (like in this potential leak). Recommendation is to use (own chosen) "salt" secret word which is concatenate to string (in this case password) before md5 hashing, which make all premaded md5 hashes database unusefull for potential attacker.

Code: [Select]

/****************************************
 *   old md5 method (like is used in this forum)    *
 ****************************************/
$password = "MySecretPassword123";
$hashed_password = md5($password); // hash which is stored in database



/****************************************
*     new recomended method of md5 usage      *
 ****************************************/
$SALT = "soldatforumssecret342"; // secret "salt" string

$password = "MySecretPassword123";
$password .= $SALT; // concatenate with "salt" -> "MySecretPassword123soldatforumssecret342"
$hashed_password = md5($password); // hash which is stored in database

Even if attacker will find in the future salt, he can`t use any premaded md5 hashes database.

FliesLIkeABrick if you want to manual reprogram forum code to simultaneous use "old" md5 hashes (for users that haven`t update their passwords yep) and new "salted" hashes give me a sign on PM.

[mar77a]

you can also do md5(md5()) or sha1() and whatnot

[FliesLikeABrick]

FliesLikeABrick md5 is nowadays relate low protection hash for security things like storing passwords in database, because as you mention there are exists md5 hashes databases, which potentially can use person who has access to hashes (like in this potential leak). Recommendation is to use (own chosen) "salt" secret word which is concatenate to string (in this case password) before md5 hashing, which make all premaded md5 hashes database unusefull for potential attacker.

Code: [Select]

/****************************************
 *   old md5 method (like is used in this forum)    *
 ****************************************/
$password = "MySecretPassword123";
$hashed_password = md5($password); // hash which is stored in database



/****************************************
*     new recomended method of md5 usage      *
 ****************************************/
$SALT = "soldatforumssecret342"; // secret "salt" string

$password = "MySecretPassword123";
$password .= $SALT; // concatenate with "salt" -> "MySecretPassword123soldatforumssecret342"
$hashed_password = md5($password); // hash which is stored in database

Even if attacker will find in the future salt, he can`t use any premaded md5 hashes database.

FliesLIkeABrick if you want to manual reprogram forum code to simultaneous use "old" md5 hashes (for users that haven`t update their passwords yep) and new "salted" hashes give me a sign on PM.

I know all of this, I've already been using salted hashes for new things that I've coded.  I have already been doing many things to improve the security of the server hosting soldat forums as well as the various sites and servers hosted on it.

Nonetheless, thanks for your input

[User No. 2]

you can also do md5(md5()) or sha1() and whatnot

Yes, "salt"+md5(md5()) is very good solution too, but never use only md5(md5()) etc. without any good (long) "salt", because, there`re exist databases for hashes md5(md5()) (and any typical combinations hashes like sha1() etc.) too, but using for example md5(md5()) with long (and unique self selected secret) "salt" can make potential use of any premaded hashes databases (even in the future) unusefull or really hard to use for attacker.

I've already been using salted hashes for new things that I've coded

Yes, it`s good standard. : -)

Of course you can salt soldatforums users passwords hashes too with making possible to coexist old system hashes and new system hashes in the same database table. For example you can increment length of hashpassword column (for md5 hash length is 32 characters, so make it 33) in users table in database. Then make new (better, more salted etc.) password hash 1 character longer then old (existing in database hashes) and before calling password verification function you will be able to check if user has old system hash (user haven`t change his password yet and his hash is 32 characters long) or if user is using new more secured hash.

[Lapis Lazuli]

Don't just change your Soldat forums password. Change any password you use anywhere else. This is especially important if you're lazy and you use the same password here for say, your email, or your system log-on.

Change your passwords frequently, anyway. About once every three months or so.

[FliesLikeABrick]

Don't just change your Soldat forums password. Change any password you use anywhere else. This is especially important if you're lazy and you use the same password here for say, your email, or your system log-on.

Change your passwords frequently, anyway. About once every three months or so.

yeah, change other passwords if you use the same one there as you do here... but if you use a password for soldatforums and not other places... you're fine.

The best thing to do is have (at least) 3 different passwords for things that are of different levels of importance, instead of using the same password everywhere:

1 for things that aren't important at all like forums you never go to, sites you signed up to download something once but never need to go back

1 for things that are kinda important, like e-mail, IM programs, forums where you're mod/admin or otherwise have a reputation that you don't want compromised, ...

1 for really important things like servers, bank accounts,...

[EnEsCe]

I have so many passwords (7 and counting) that I use simultaneously that I cant even remember which one I just changed my forum password too.... oh well. SMF blocks you after like 5 attempts or something