On Tuesday afternoon, an intruder defaced Melissa Singer's post below, replacing it with a threatening message. They also messed nondestructively with a few other parts of the site. To the best of our knowledge, their effects have now been undone.
The break-in was most likely accomplished by means of a vulnerability in Joomla, our content-management system, which was first discussed in public on Tuesday and patched on the same day; in other words, the intruder took advantage of a very brief window of opportunity.
We have no particular reason to think they made off with passwords or other personal information, but it's not impossible. Currently the site doesn't contain any personal information much more sensitive than people's email addresses, so there's not a lot of exposure, but we're telling you about the incident so you can make your own decisions. (If you want to change your password, you can do it from the "account settings" link that shows up when you're logged in.) Speaking just for myself, I apologize for the fact that this post didn't go up a day ago. We'll try to be quicker to acknowledge any future security issues that present themselves.
VIEW ALL BY · Thursday August 14, 2008 01:50pm EDT
VIEW ALL BY · Thursday August 14, 2008 02:02pm EDT
VIEW ALL BY · Thursday August 14, 2008 02:19pm EDT
VIEW ALL BY · Thursday August 14, 2008 03:11pm EDT
VIEW ALL BY · Thursday August 14, 2008 03:24pm EDT
VIEW ALL BY · Thursday August 14, 2008 10:30pm EDT
VIEW ALL BY · Friday August 15, 2008 02:05am EDT
This is just to say
We have Haxxor3d
Your blog
That was on the Interwebs
And which
You were probably
Saving fandom with.
Forgive me
It was vulnerable
So Googlejuicy
And 0day.
VIEW ALL BY · Friday August 15, 2008 10:14am EDT
A word of warning (and a note to self): Try not to use the same password all over the place. It's a pain, but if someone hacks a site like this one and gets a hold of your one and only password that you like to use on facebook, twitter, your favorite online bank...
VIEW ALL BY · Friday August 15, 2008 11:22am EDT
7a0479dc917d35bd822cecb558c8d432
in the database.
How does Joomla log you in if it doesn't store your "real" password? It just applies the md5sum algorithm (with salt) to the contents of the password textbox. If the result matches the md5sum in the database, you're logged in.
Note that you can't use the md5sum version of your password to log in. If you apply md5sum to an md5sum string, you get a very different md5sum.
If you have the md5sum only, the chances of getting back to the original plaintext password to log in is very, very slim.
Basically, there are no passwords the attackers got away with. We all might get more spam than usual, but the passwords should be safe.
Regardless, scottmarlowe is very correct about not using the same password everywhere.
This is why software that stores passwords as cleartext in the database are stupid.
VIEW ALL BY · Friday August 15, 2008 12:14pm EDT
The exception to this is when you create a password that is a variation of your username, phone number, or words you'd find in a dictionary. A brute force compare against the md5sum string could reveal poorly chosen passwords. In routine security scans for systems at one of my prior jobs, we were able to get 10-15% of the passwords with nothing more than a program using dictionary words.
In short, make your password something that would be meaningless to someone other than yourself and use numbers and punctuation where possible.
VIEW ALL BY · Friday August 15, 2008 12:47pm EDT
That's so true. (Punctuation should always be allowed in passwords! Sadly, this is not always the case. Control characters, if they're allowed, are keen, too.)
These days brute force password cracking programs can not only use dictionary words, but also know about the numbers as letters tricks---e.g, 3 for e's, 0 for o's, 1 for l's, etc. They also know about prefixing and suffixing with a digit, so that's not terribly safe either. I don't think even two plain dictionary words together are safe.
The longer your password, the harder it will (usually) be to crack. And the longer your password, the more chance there is for you to apply a personal mnemonic to it, and thus you will remember it better.
Here's a guide to choosing good passwords.
My passwords are never less than 10 letters long, unless there's a restriction to 8 characters for some older systems.
VIEW ALL BY · Saturday August 16, 2008 12:36pm EDT
VIEW ALL BY · Saturday August 16, 2008 03:10pm EDT
VIEW ALL BY · Monday August 18, 2008 12:43am EDT
Security Through Obtusity!