Jump to content

Primary: Sky Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Secondary: Sky Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Pattern: Blank Waves Squares Notes Sharp Wood Rockface Leather Honey Vertical Triangles
Photo

Security Announcement!!


  • This topic is locked This topic is locked
33 replies to this topic

#1
Grumpy

Grumpy

    RawR

  • Administrators
  • 4,030 posts
  • LocationHere of course!

There has been a recent hacking spree of several manga sites and many id/pass combos have been stolen.

 

I know many people tend to use same id/pass combos on many sites. I urge people to change their passwords immediately to prevent potential hacking on your account.

 

There is no known leak of from the Batoto servers right now, but your account (which could use a leaked password) may still still be in danger.

 

Here is a reddit thread discussing the issue (also has list of compromised sites):

http://www.reddit.com/r/manga/comments/27onlv/mangatraders_has_been_hacked/

 

 

----------------

 

If you want to learn about safe password practices through comics, here are two XKCD.

Picking a good password: http://xkcd.com/936/

Dangers of password reuse: http://xkcd.com/792/ (more relevant to current issue)

 

-----------------

 

For anyone wondering, our login system is IPB's login system.

 

You can change your password here:

http://www.batoto.net/forums/index.php?app=core&module=usercp&tab=core&area=email

 

-----------------

 

General Safety Tools

  • If you want to store all your passwords somewhere safe, you can try KeePass
  • If you want some tool to create and type in passwords for you, you can try LastPass.
  • If you have difficulty remembering different passwords, try creating your own system of passwords. For example: (Don't use these. Make your own! Combine them! Be creative!)
    • Like weaving letters. If your typical password is "hello" and you visit "batoto", your password could be "bhaetloltoo".
    • Or you can create sentence expressions like "Batoto is awesome!!1". Easy to remember and even has punctuations! (Note: Some sites do not accept space characters)
    • You can even use non-english characters! (Again, some sites do not accept non-english [non-alphanumeric] characters. :( )


#2
Black Phoenix

Black Phoenix

    Potato Spud

  • Contributor
  • 17 posts
  • LocationPortugal

Thank you, I've changed just because I should had changed an year ago.

 

I use different passwords for each login I have, but just in case (thanks to a database I transport in a movable media that I take around with me everytime and have triple copies of the database on-site and off-site).


Edited by Black Phoenix, 10 June 2014 - 12:45 AM.


#3
cartographer

cartographer

    Potato Sprout

  • Members
  • 6 posts

"The security of the MD5 hash function is severely compromised." (Hint: MD5 is what IP Board uses for password hashing)

 

Is there any chance something like bcrypt could be used instead of MD5? (or possibly in addition to it, in order to avoid having to reset everyone's passwords) It would really make security for Batoto at least a lot better (AFAIK bcrypt remains unbroken). I believe there should be some existing open source PHP implementations out there that you should just be able to plug in.



#4
Black Phoenix

Black Phoenix

    Potato Spud

  • Contributor
  • 17 posts
  • LocationPortugal

If you use MD5 "salted" that should be a little more difficult to decrypt it.

 

Example:

 

Without salt:

d41d8cd98f00b204e9800998ecf8427e

 

With salt (sdfsdf):

d58e3582afa99040e27b92b13c8f2280

 

If salt is random generated, it's difficult to decrypt it.


Edited by Black Phoenix, 10 June 2014 - 02:42 AM.


#5
cartographer

cartographer

    Potato Sprout

  • Members
  • 6 posts


If you use MD5 "salted" that should be prevented.

 

Example:

 

Without salt:

d41d8cd98f00b204e9800998ecf8427e

 

With salt (sdfsdf):

d58e3582afa99040e27b92b13c8f2280

 

If salt is random generated, it's difficult to decrypt it.

 

Well, yes and no, salts prevent an attacker from using a pre-generated rainbow table or brute forcing all of the passwords at once (since salts should be unique for each user/password). But MD5 itself isn't the greatest algorithm, which is to say, its not very computationally intensive so if an attacker really cared they could go through and brute force passwords individually (since salts are stored with the hashed passwords), which could be easy for passwords that consist of just words or phrases rather than actually nonsensical letters/numbers.

 

Edit: Database might look like this:

 

Password (Hashed) | Salt

914d5dcf4edf33b9678ba70c875be6e0 | 9pa53f19

 

Since we know the salt, the hash, and that IP Board uses:

$hash = md5( md5( $salt ) . md5( $password ) );
 
We could just go through an English dictionary and try random combinations of words and numbers (to quote Wikipedia again: "An NVIDIA GeForce 8800 Ultra can calculate more than 200 million hashes per second", note that the 8800 Ultra is an old card with the capability of ~512 GFLOPS, where as the Titan Z has the capability of around ~8122 GFLOPS). By doing so we might discover that the password was "password1" all along! Luckily for some of us though, (salted) passwords which are actually fairly nonsensical like "wiDsa432" would have to be truly brute forced, and would probably not be worth the effort.

Edited by cartographer, 10 June 2014 - 03:09 AM.


#6
Cake-kun

Cake-kun

    Potato

  • Contributor
  • 160 posts
  • LocationNot on your plate, hopefully

There was the possible hacker in /a/ in regards to what led him to do it.
He said he injected script into php (they ran unstable version of BSD or something, hacked kernel pretty much), then inserted himself as admin, then manage to download the entire database, I believe. He told MT, supposedly, about how weak the security already was, and supposedly he said noone took him seriously?
I don't think that's the issue here, the issue is this
Yes, for MT, the password was not salted, meaning it wasn't encrypted well. It was only MD5, meaning, yes, it was attacked with dictionary and guy managed to pull out the password out of the database
Salted can still be decrypted. Will it be easy, no. But the fact was there was barely any encryption, the password database has been leaked, and he leaked unencrypted emails with password, next to MD5 hashes. This is bad, since, as I mentioned above, he injected himself as the Admin, so he knew what he had to look for for the hash. Now, if they get access this way, salting does absolutely nothing, since now the encryption can be reverse-engineered removed.

(outside of all this, however, is that; what bothers me is the fact that my email was somehow on the list and I didn't sign up for MT yet. And with my throwaway password, to make it worse. The confusion ensues)

 

Now, Grumpy, I know this might be too technical, but at least our password is "salted", right? Not just MD5 encrypted
And hopefully, Batoto isn't as weak in security


Edited by Cake-kun, 10 June 2014 - 03:31 AM.


#7
Grumpy

Grumpy

    RawR

  • Administrators
  • 4,030 posts
  • LocationHere of course!

Now, Grumpy, I know this might be too technical, but at least our password is "salted", right? Not just MD5 encrypted

And hopefully, Batoto isn't as weak in security

Yes.

 

And Batoto keeps up with all the security releases by IPB, and more (os, etc.).



#8
Rave Jai Ho

Rave Jai Ho

    Potato

  • Members
  • 114 posts

Related read: https://crackstation.net/hashing-security.htm


A little off-topic (but related): Plase please consider adding secure login to the site.



#9
Cake-kun

Cake-kun

    Potato

  • Contributor
  • 160 posts
  • LocationNot on your plate, hopefully

2 factor authentication would be nice, eventually, yeah



#10
NiceBoat

NiceBoat

    Potato Spud

  • Members
  • 22 posts

Good thing I only use Batoto!

 

Thanks for the heads up.


Edited by NiceBoat, 10 June 2014 - 05:01 AM.


#11
Grumpy

Grumpy

    RawR

  • Administrators
  • 4,030 posts
  • LocationHere of course!

Related read: https://crackstation.net/hashing-security.htm

For new applications on PHP (this site is in PHP), doing it right is very simple and easy. Doesn't need a 50 page explanation.

Create hash with password_hash($passwordhere) and check with password_verify($typedpass, $hashere). Voila~

Worst part is, none of the PHP security blog seem to post about it. :-/ At least not yet, since it's very new.

 

A little off-topic (but related): Plase please consider adding secure login to the site.

Actually tried it before. Unfortunately, IPB seems to be made to have SSL everywhere or no where. And since we have ads (which naturally break SSL principle), we can't really have SSL. I do hope IPB changes it so SSL in parts of the site is possible. Like the login/registration page (where we don't have ads anyway).
 

2 factor authentication would be nice, eventually, yeah

Indeed... I was actually pondering about it earlier. But, this is a manga reading site with little info about the user stored behind the scenes to be exposed (beyond possible login info). Not much of data to protect -- to question if such is worth while. IPB marketplace does seem to have two paid plugins for it though. It'd only really be worthwhile for admins to prevent mass leak in event their account's password get compromised. If a normal user's does... it's really not that big of a deal since there isn't much to take. But still, if there's enough people who want it, I'll probably install it.



#12
S.C.

S.C.

    Baked Potato

  • Contributor
  • 1,258 posts
  • LocationThe Epicenter of Indifference

I use different passwords for everything, so I'm not too worried.

Still, maybe I should consider changing a few, just to be safe...


Posted Image


#13
Gendalph

Gendalph

    Fried Potato

  • Contrib Mods
  • 575 posts
  • Locationbeyond the Veil
I'll leave these here: KeePass (ChromeIPass, PassIFox), LastPass

#14
Moloch

Moloch

    Fingerling Potato

  • Members
  • 79 posts

Eh, whatever. I use neither this name nor this e-mail address anywhere else. They can have my password for all I care.



#15
keik

keik

    Potato Spud

  • Members
  • 31 posts

And what about login with twitter? Should I change my twitter pass?



#16
seyrine

seyrine

    Unemployed Kitty In A Penguin Suit

  • Administrators
  • 1,829 posts
  • LocationLurking nearby...

And what about login with twitter? Should I change my twitter pass?

It's better to be prudent, especially if you use your twitter passwords with other sites. We can't say for sure that a certain site is safe anyway.


Catch my story; the Neverender Series

Batoto's Rules Repository | Rules, Guidelines and FAQs

Rules and Regulations | How to get help | Frequently Asked Questions

If all else fails, PM me. And use the REPORT button if you see any content that may violate site policy.

Catch me on irc.idlechat.net (#seyrine) and D.F.T.B.A.!


#17
ku4eto

ku4eto

    Potato Spud

  • Members
  • 32 posts
  • LocationBulgaria,Sofia

As someone who is in hosting company and working as tech support - MD5 hash without salt is retarded. And guess what : <!--p>The <a href="http://forums.mangatraders.com">Mangatraders Forums</a> are still up, you can check there for any updates on the status of the repairs.</a-->

aaand the forums give 404.

Now if the admins were retarded enough to use same username/password for the Control Panel account , the hacker can do pretty much whatever he wants.
Anyway , i don't know if Mangatraders were using some kind of CMS or a custom made site , but unless they had some real brains , they would have custom made it , with proper .php codding . I mean , how can you inject a .php file on a subdomain , and blah blah... Normally you would use 644 perms , but i have seen enough idiots who put 744/755/777 perms on important stuff. Also , MySQL passwords unless written manually , are random string generated. I presume they wrote some idiotic password that they already used almost everywhere.  Whatever , they can't just go and change 1 mil already existing passwords from MD5 to somethiing else. That would be just ... too hard and long. If the hacker gave them chance to realize that they have weak passwords , and the ydid not listened - the ydeserve it .


"Together we fight.... for the blood of the nations!"
"Running through life with blindfolds..."


#18
ku4eto

ku4eto

    Potato Spud

  • Members
  • 32 posts
  • LocationBulgaria,Sofia

Just a question , are you running on VPS , Dedicated , or some Shared hosting ?


"Together we fight.... for the blood of the nations!"
"Running through life with blindfolds..."


#19
Grumpy

Grumpy

    RawR

  • Administrators
  • 4,030 posts
  • LocationHere of course!

Just a question , are you running on VPS , Dedicated , or some Shared hosting ?

load balanced private network of dedis...

I don't think you realize the scale of Batoto.



#20
ku4eto

ku4eto

    Potato Spud

  • Members
  • 32 posts
  • LocationBulgaria,Sofia

:P Which i presume several accounts with different passwords , running on cPanel/Hepsia , with DB's with different passwords ? What about ModSecurity , do you have that/use it on Active ? I am a  bit interested to compare Batoto system to other sites. Also , by any chance do you use FTP accounts to upload crap :D ?


"Together we fight.... for the blood of the nations!"
"Running through life with blindfolds..."