Thu
Aug 14 2008 7:26am

We wuz hacked

On Tuesday afternoon, an intruder defaced Melissa Singer's post below, replacing it with a threatening message.  They also messed nondestructively with a few other parts of the site.  To the best of our knowledge, their effects have now been undone.

The break-in was most likely accomplished by means of a vulnerability in Joomla, our content-management system, which was first discussed in public on Tuesday and patched on the same day; in other words, the intruder took advantage of a very brief window of opportunity.

We have no particular reason to think they made off with passwords or other personal information, but it's not impossible.  Currently the site doesn't contain any personal information much more sensitive than people's email addresses, so there's not a lot of exposure, but we're telling you about the incident so you can make your own decisions. (If you want to change your password, you can do it from the "account settings" link that shows up when you're logged in.)  Speaking just for myself, I apologize for the fact that this post didn't go up a day ago.  We'll try to be quicker to acknowledge any future security issues that present themselves.
 

14 comments
William S. Higgins
1. higgins
I looked, but apparently Hallmark doesn't make a "Sorry To Hear Your Server Was Cracked" card.
Debbie Moorhouse
4. GUDsqrl
Hallmark are way too busy sending me spam to design new cards ;).
Earl Cooley
5. shiva7663
The good of this is that now that it's happened, you've had a live fire chance to test your disaster recovery plans.
Thomas Perry
6. SirTomster
Hmm what is my password. My name is Patrick Neilsen Hayden.. Please send to my account thanks.
Clifton Royston
7. CliftonR
Well, in lieu of a Hallmark card, I'll repost my poem of condolence in the customary form:

This is just to say

We have Haxxor3d
Your blog
That was on the Interwebs

And which
You were probably
Saving fandom with.

Forgive me
It was vulnerable
So Googlejuicy
And 0day.
Scott Marlowe
8. scottmarlowe
Thanks for the heads up. I changed my password, just to be safe.

A word of warning (and a note to self): Try not to use the same password all over the place. It's a pain, but if someone hacks a site like this one and gets a hold of your one and only password that you like to use on facebook, twitter, your favorite online bank...
Arachne Jericho
9. arachnejericho
One good thing about Joomla---from the very start, they don't store your password in cleartext. They hash it using md5sum (these days, along with a salt). Your password ends up looking like

7a0479dc917d35bd822cecb558c8d432

in the database.

How does Joomla log you in if it doesn't store your "real" password? It just applies the md5sum algorithm (with salt) to the contents of the password textbox. If the result matches the md5sum in the database, you're logged in.

Note that you can't use the md5sum version of your password to log in. If you apply md5sum to an md5sum string, you get a very different md5sum.

If you have the md5sum only, the chances of getting back to the original plaintext password to log in is very, very slim.

Basically, there are no passwords the attackers got away with. We all might get more spam than usual, but the passwords should be safe.

Regardless, scottmarlowe is very correct about not using the same password everywhere.

This is why software that stores passwords as cleartext in the database are stupid.
Neil Clarke
10. Clarkesworld
If you have the md5sum only, the chances of getting back to the original plaintext password to log in is very, very slim.


The exception to this is when you create a password that is a variation of your username, phone number, or words you'd find in a dictionary. A brute force compare against the md5sum string could reveal poorly chosen passwords. In routine security scans for systems at one of my prior jobs, we were able to get 10-15% of the passwords with nothing more than a program using dictionary words.

In short, make your password something that would be meaningless to someone other than yourself and use numbers and punctuation where possible.
Arachne Jericho
11. arachnejericho
@Clarkesworld,

That's so true. (Punctuation should always be allowed in passwords! Sadly, this is not always the case. Control characters, if they're allowed, are keen, too.)

These days brute force password cracking programs can not only use dictionary words, but also know about the numbers as letters tricks---e.g, 3 for e's, 0 for o's, 1 for l's, etc. They also know about prefixing and suffixing with a digit, so that's not terribly safe either. I don't think even two plain dictionary words together are safe.

The longer your password, the harder it will (usually) be to crack. And the longer your password, the more chance there is for you to apply a personal mnemonic to it, and thus you will remember it better.

Here's a guide to choosing good passwords.

My passwords are never less than 10 letters long, unless there's a restriction to 8 characters for some older systems.
Chris Sullins
12. chrissullins
Not to mention that there is an md5 lookup database, which contains 1,133,758,187 unique hashes. So, if the hacker has the hashed passwords, all of the obvious ones are crackable in milliseconds, and a large number of the less obvious ones are. Probably a good idea to change your password anyway, unless it's a random string already.
Madeline Ferwerda
13. MadelineF
Well, shoot, arachnejericho, so much for my clever "backwards in l33t" scheme. Thanks for the link, really useful!
Patrick Nielsen Hayden
14. pnh
#6, Sir Tomster: I figure if the black hats can't spell my name any better than that, I'm probably safe.

Security Through Obtusity!

Subscribe to this thread

Receive notification by email when a new comment is added. You must be a registered user to subscribe to threads.
Post a comment