RobLoos Posted July 22, 2009 Share Posted July 22, 2009 1 question: via twitter matt told us: "Hak5 was indeed hacked along with all 84 of the other sites on the server being wiped, backups are a month old, rebuilding the server now" why are the backups a month old? other then that i'm pretty amazed that after 1 day the entire system is back up :) thx for the disclosure & warning us of the possible danger Quote Link to comment Share on other sites More sharing options...
VaKo Posted July 22, 2009 Author Share Posted July 22, 2009 Measures put in place to stop recurring DDoS attacks tanked the backup system apparently, the specifics of this are best addressed to Matt himself. Quote Link to comment Share on other sites More sharing options...
VaKo Posted July 22, 2009 Author Share Posted July 22, 2009 UPDATE: If you have posted and want your account deleted, please remove all personal details from the account and PM myself, your account will be banned. This allows us to keep the posts intact and you to be rid of your unwanted account. Quote Link to comment Share on other sites More sharing options...
deleted Posted July 22, 2009 Share Posted July 22, 2009 Sorry to hear that. Luckily I use just the MD5 hash of one of my files as a password, and all I need to do is remember a different file. I know its not random nor the best method, its just an easy way to remember a password without writing it down or havng a guessable one. Is this intrustion anythng to do with the anti-sec movement :P Quote Link to comment Share on other sites More sharing options...
loneferret Posted July 22, 2009 Share Posted July 22, 2009 Has anyone taken credit for the hack? Also, is it just my imagination or is there a "anti-hak5" movement? I mean seeing exploits with terms and conditions like "You can do whatever you want with this code unless you're a Hak5 fan..." Quote Link to comment Share on other sites More sharing options...
wakes Posted July 22, 2009 Share Posted July 22, 2009 Take site homepage offline, or leave online, but with really loud warning. Dumbasses who you have described who use important passwords on fun sites ARE at risk, you need to emphasise it more now and in the future. Quote Link to comment Share on other sites More sharing options...
loftrat Posted July 22, 2009 Share Posted July 22, 2009 No drama, password changed, thanks for the heads-up guys. Quote Link to comment Share on other sites More sharing options...
Kung Fu Jesus Posted July 22, 2009 Share Posted July 22, 2009 I know for a fact phpBB hashes the passwords in the database. I would assume the engine you guys use (looks like it may be vbulletin) does the same. Quote Link to comment Share on other sites More sharing options...
operat0r_001 Posted July 22, 2009 Share Posted July 22, 2009 This is why I run my own sever ... I don't want some ass hat at my webhost to root my box .. got comcast .. only time I site is ever down is comcast. I once got hit by lightning and was out for like 3 days (lost cable modem ,router and 3 nics ) . One night somebody turned off my sever because it was loud and they were trying to sleep .. Other then that been dossed but I will take a doss over r00t any @#%^ing day :) hak5.org run a drop to my house ill host the forums for you if you have r00t you should do some of this along with snort http://www.binrev.com/forums/index.php/top...ge__hl__mod_sec let me know if you need help Quote Link to comment Share on other sites More sharing options...
Matt Lestock Posted July 22, 2009 Share Posted July 22, 2009 Hey everyone, First let me be the first to apologize for what has happened over the last two / three days. After many cans of Red Bull, and more nicotine than I think I've ever had before there are very few issues that remain to be resolved. Let's start on what exactly happened. At approximately 3:30pm eastern time on Monday, the webserver that hosts Hak5 as well as 84 other non Hak5 related sites was exploited by a cross site scripting attack which resulted in the dump of a mysql field that contained the root password for the server. The reason this password was stored is because the billing system we have in place handles orders and cancellations based on a cron job automatically. However recently the billing system began to employ the use of a remote key hash, however not thinking about it, I never removed the root password from the other field. This mishap ended up causing the hell that has been my life for the last 48 hours. This has been fixed, the remote access key can now only be used by scripts calling the key from the local machine. SSH certificate authentication has been enabled and password authentication is in the process of being disabled. We have modified our backup strategy and verified it's functionality. We're still working on getting the backups stored remotely and this will happen within the next week. I want to once again sincerely apologize for the problems that this has caused to each of you, our dedicated members. It has also made me rethink exactly how I go about security on things such as this. When I offered to host Hak5, it was to save $100 per month and increase performance of the site. When we migrated the website to my server we received a number of emails about the noticeable performance increase. It saddens me that there are those who hate what we do so much that they are willing to completely destroy what we've done without remorse or consideration, however there isn't anything we can do but to continue doing what we enjoy, bringing you weekly technolust. I must also make this note, the attacker was not prdelka. I've been in contact with the real prdelka (who is a weekly viewer of the show) over the past 24 hours and he has provided me with numerous valuable pieces of information on who really perpetrated this attack. There are also others who have been instrumental in the process of getting us back online and educated as to what happened. Mubix has done an amazing job of tracking logs and ip addresses and getting as much information as possible. Vako has been rock solid in his support and offering to help in any way he can whether it be here on the forums, in IRC or elsewhere The #hak5 irc guys; while we've had our differences, you've really outdone yourselves in helping out in this situation and keeping things under control in there, my hat goes off to you guys. Steve from Rack911.com - Steve has been a good personal and professional friend of mine for a number of years, and his tireless hours in assisting me with getting the server and services on it back up and running have been an absolute life saver. There are others I'm sure I'm forgetting, but please know that all of the help that everyone has provided during this incident has been nothing short of awe inspiring. Once again, thank you for watching Hak5 and should you have any questions regarding this or any other topic please feel free to contact me or post them here in the forums and I'll do my best to answer them. Thanks, Matt Quote Link to comment Share on other sites More sharing options...
severedspirit Posted July 22, 2009 Share Posted July 22, 2009 These things happen, and thanks to this I don't think any of us runing our own servers will have this problem ever again Quote Link to comment Share on other sites More sharing options...
microft Posted July 22, 2009 Share Posted July 22, 2009 Are you kidding me?! You kept my password in clear text?! WTF?! credibility = 0 Quote Link to comment Share on other sites More sharing options...
VaKo Posted July 22, 2009 Author Share Posted July 22, 2009 Are you kidding me?! You kept my password in clear text?! WTF?! credibility = 0 Your password was never stored in clear text, as I have repeatedly stated all forum passwords were hashed and salted. Quote Link to comment Share on other sites More sharing options...
Matt Lestock Posted July 22, 2009 Share Posted July 22, 2009 Are you kidding me?! You kept my password in clear text?! WTF?! credibility = 0 Let me be clear on this... NONE of your passwords were stored in clear text. They were hashed and salted. The only thing that was stored in clear was the root password of the server, and as mentioned, this has been fixed. Matt Lestock Quote Link to comment Share on other sites More sharing options...
microft Posted July 22, 2009 Share Posted July 22, 2009 OK, looks like I over-reacted. I'm sorry! This lead me to think that During this time the forum database was accessed and as such, passwords (which are linked to your email address) used for forum accounts have been compromised. If the they are hashed (with a good hash function) and salted then it's safe to say that they are not compromised. Anyway, I just learned something from all of this. Got to get a better way to generate/manage passwords. Quote Link to comment Share on other sites More sharing options...
Kung Fu Jesus Posted July 22, 2009 Share Posted July 22, 2009 Let me be clear on this... NONE of your passwords were stored in clear text. They were hashed and salted. The only thing that was stored in clear was the root password of the server, and as mentioned, this has been fixed. Matt Lestock That's what I figured. Then why the hell does the email you guys sent say to change my passwords associated with my email address? The only thing I'm worried about is an additional 200 spam emails per day. Quote Link to comment Share on other sites More sharing options...
VaKo Posted July 22, 2009 Author Share Posted July 22, 2009 That's what I figured. Then why the hell does the email you guys sent say to change my passwords associated with my email address? The only thing I'm worried about is an additional 200 spam emails per day. Because the server was compromised, and several passwords were leaked including my own. However we know other passwords weren't. The issue here is that the server was rooted, and for a period of time we know that a 3rd party was in full control of it. We cannot know who's passwords were recovered by the hackers so we have to notify *everyone* that there was a break in and that there is a *potential* that other passwords were stolen. This is largely a preventative measure. Quote Link to comment Share on other sites More sharing options...
Kung Fu Jesus Posted July 22, 2009 Share Posted July 22, 2009 Was this the SQL root password or the actual root password? Regardless, most of the time it's quite difficult/impossible to reverse a hashed field. Quote Link to comment Share on other sites More sharing options...
El Di Pablo Posted July 22, 2009 Share Posted July 22, 2009 Hack happens. Thanks for letting us know. -EDP Quote Link to comment Share on other sites More sharing options...
loftrat Posted July 22, 2009 Share Posted July 22, 2009 Do we know if any large portions of data were harvested (does the server log show any such activity)? WHat I guess I'm wanting to know is, what are the chances that my email address is currently being targetted by people wanting to sell me penis enlargements? Quote Link to comment Share on other sites More sharing options...
Jason Cooper Posted July 22, 2009 Share Posted July 22, 2009 Do we know if any large portions of data were harvested (does the server log show any such activity)? WHat I guess I'm wanting to know is, what are the chances that my email address is currently being targetted by people wanting to sell me penis enlargements? Quite high, but then it is for any email address :) Quote Link to comment Share on other sites More sharing options...
digip Posted July 22, 2009 Share Posted July 22, 2009 Was this the SQL root password or the actual root password? Regardless, most of the time it's quite difficult/impossible to reverse a hashed field. Reversing might be hard, but if they had root access at some point, they can overwrite a hash in the databast with their own to use on someones account later on. I used to have to force a hash into wordpress in order to fix borked upgrades that screwed up the database. Its possible to overwrite the hash with a "known" hashed password, then its game over. If they created one on someones acocunt, and they don't bother to change it, they could come back later as that user, say, if that person hadn't logged on for a while and wasn't aware of the compromise. Quote Link to comment Share on other sites More sharing options...
Kung Fu Jesus Posted July 22, 2009 Share Posted July 22, 2009 Reversing might be hard, but if they had root access at some point, they can overwrite a hash in the databast with their own to use on someones account later on. I used to have to force a hash into wordpress in order to fix borked upgrades that screwed up the database. Its possible to overwrite the hash with a "known" hashed password, then its game over. If they created one on someones acocunt, and they don't bother to change it, they could come back later as that user, say, if that person hadn't logged on for a whiel ans wasn;t aware of the compromise. Yes but you see then at the worst they can only change your password, which is the whole point in password hashing. Seeing as my password is exactly what it was before the exploit, I'm fairly certain that there is no need to change my forum password. The speculation to change my password for anything else tied to this email that uses it is also a false one, as again, these were hashed passwords. Quote Link to comment Share on other sites More sharing options...
VaKo Posted July 22, 2009 Author Share Posted July 22, 2009 Thats your own call. This was a precautionary measure as I know of several people who used the same password for Facebook etc. Its probally safe, but who knows where that database ended up. Quote Link to comment Share on other sites More sharing options...
lopez1364 Posted July 22, 2009 Share Posted July 22, 2009 You guys (Hak5) are teaching your listeners to well. Watch out for the grasshopper that bites the hand that feeds. Thanks for the update you guys. Password has been changed. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.