Issues with your account? Bug us in the Discord!
Firstones Server: Dreamhost Hacked
Random Chaos
Actually Carefully-selected Order in disguise
in Zocalo v2.0
Greetings!
Our host, Dreamhost, had their database hacked and their server passwords compromised yesterday. They have been reset, but I can't trust that nothing got shoved onto their network before the compromise was disrupted.
Therefore, anyone who's browsing our website, keep an eye open for anything odd (that is, anything not odd in the way Firstones is normally odd).
More info: [URL]http://blog.dreamhost.com/2012/01/21/security-update/[/URL]
Thanks!
Zathras
Our host, Dreamhost, had their database hacked and their server passwords compromised yesterday. They have been reset, but I can't trust that nothing got shoved onto their network before the compromise was disrupted.
Therefore, anyone who's browsing our website, keep an eye open for anything odd (that is, anything not odd in the way Firstones is normally odd).
More info: [URL]http://blog.dreamhost.com/2012/01/21/security-update/[/URL]
Thanks!
Zathras
Comments
Thanks... I guess. Nothing to see, move along.
That's like telling us we didn't get sick today because our immune system fought off a virus or a pesky germ.
I suppose that's a good thing, but hardly worth crying wolf about or putting up an ad in the Wall Street Journal.
The folks at DreamHost did their job and all appears to be ok. Unless Anonymous is targeting FirstOnes!! :nervous:
[QUOTE]Our Security and Software teams have been investigating if any customer sites, apps or blogs have been affected as a result of the intrusion. As yet we have not identified any major issues – potentially as a result of the swift action to force a password reset.[/QUOTE]
That statement means that while they have seen nothing yet, it doesn't mean there is nothing. The whole point is we need to keep our eyes open too because something could have gotten inside.
Damn space communists!
vBulletin, the most popular forum software (and that which we use) stores passwords with an MD5 hash. Unfortunately MD5 is a really insecure and easily cracked storage engine that dates from 1991. There are a ton of open source tools to exploit weaknesses in the methodology. However, actually reversing a password is fairly hard (mainly because multiple passwords result in the same hash). Additionally, to start you have to get the database. vBulletin does a good job of preventing that, with good code auditing and security measures. Most likely and exploit to get the database would have to come through other software on the same server, or a server compromised through a means other than the web.
Generally if you're looking for security of your database passwords, you want to store passwords with SHA-2 (generally SHA256 or better), which was developed in 2006 as the result of security holes found in SHA1, which itself was a replacement for MD5 and its security holes.
AES is acceptable for password storage, but AES is an encryption not a hash, so if you know the key you can read the password.
--
You may be wondering about other bulletin boards. The most common open source board is PHPBB. Unfortunately PHPBB takes security as a secondary idea, and their code is full of tons of SQL vulnerabilities. It is the most hacked bulletin board around, often resulting in server compromise. No idea what password hash they use, though.
Hope this helps!
I understand what you mean about the passwords, thus I leave Firefox to remember those for me. Most of the passwords are gibberish, some very clear and even easy. Easy because I don't like to check my password wallet when logging in outside my home computer.
The password basically just protects one thing, the email.. Even though it can be fetched directly from the database as well if its not encrypted...
But I've taken some measures to cover the email. The email which I use is protected by three levels with all different passwords.
Level 3 = Some made account with message forwarding.
Level 2 = Other account with message forwarding
Level 1 = The email I use.
Level 0 = COE (Continuity plan of E-mail)
Level1 email is only provided to those which I can trust, basically network banking and related services. All the other messaging happens either via Level2 or Level3, which both levels have multiple different mailboxes. Eventually everything just leads into one.
"Losing" one of level3 or 2 email address to bad guys is not a world end. Losing Level1 account would cause direct harm, thus Level 0 is maintained for emergency situations. A copy, with slightly different email address.
Purpose for all of this, I suppose I was just bored that day.
There are reasons why:
1. Each site with a unique email address lets me identify if that site allowed my email address to be mined, or they sold it improperly. So far, I have had no corporation sell my email address outside their privacy policy, which is damned good in the 10+ year period I've been doing this.
2. By having a different email address for each website, not only do you have to know what my password is, but since many websites login username is your email address, an attacker also has to know which email address I associated with that website.
In all cases, these are forwarding emails to my main account.
[URL="http://www.youtube.com/watch?v=cj2Gwb-Ph2g"]And no, they are not insane.[/URL] ;)
Talk about security!