The server hosting Hak5.org and the Hak5 forums was hacked.

[X3N]

i like to use lastpass with the plugin for firefox to manage all my passwords it really helps with keeping everything organized and being able to generate random passwords everytime you need to...

[nicatronTg]

I'm not gonna lie, it's great that you let us know. 'course, when you forget what you've used a password for, well that becomes a problem.

[devnut]

I knew to use a different username/password on a site like this. Vulnerable shared hosting and unproprietary software is a bad recipe for getting hacked, too bad. Get a dedicated server, run virtual machines on it, and isolate projects from each other. Nubs.

[Jason Cooper]

Did anyone else think it was ironic that the site was running on a shared host after all the episodes recently on virtual servers :)

Seriously though, well done Matt and the rest of those that helped get the site back up. When these things happen (and things like this happen to everyone in the industry at sometime) it takes a lot of effort to get the site restored, up, running and secured. You all deserve a beer or two after that.

[MartynX95]

Shoot! I use that password for evrything!

[coyotepedia]

Good job getting things back up and running so fast guys. Password (used only here) is changed, no big deal, life happens. How about an episode focusing on the attack methodology and the response/recovery and the steps taken to defend in the future? I know I'd be interested.

[DingleBerries]

Why am I being email a plain text password when I try to recover my account? I know that I should change it but I am not sure if other are sure about what to do.

[VaKo]

I don't know of a forum software that doesn't send out *temporary* passwords in plain text. PHPBB, Simple Machines Forum and Invision Power Board all share this behaviour. If your email isn't secure, we can't help you on that front, other than suggest you look at hushmail.

[bmdsherman]

Ya, it sucks.

But still, you guys run a show about hacking so it all comes full circle.

[Wolf68k]

I get it that hacks happen but I think it's a bit ironic that Hak5 got hacked.

I'm also wondering why the password database doesn't encrypt the passwords themselves. This implies that they are in plain text. Wouldn't even a simple hash of some kind be enough?

[VaKo]

Again, all forum users passwords were MD5 hashed with salt. The server was rooted, which means the hackers had full access to everything, including said salt.

[DingleBerries]

I don't know of a forum software that doesn't send out *temporary* passwords in plain text. PHPBB, Simple Machines Forum and Invision Power Board all share this behaviour. If your email isn't secure, we can't help you on that front, other than suggest you look at hushmail.

I havent played around with PHPbb, but I know other forums that send you a reset link. If anything I'd expected to receive a temporary password and be asked to change it. I just hope that the password I am sent is hashed in the db after it has been sent to me.

Just saw you post Vako. Glad they were hashed. Good luck BFing the good ones.

[h3%5kr3w]

hey Matt, don't be sorry.

A. This is not a private corporate network.

B. That asshat that did this is the one that should be sorry.

BTW good job getting this back online as fast as you did.

..... did not mean to double post.

[lnxr0x]

Good job getting everything back up and running !!! It would be a good topic on the show to cover simple steps to secure your web server, and some incident response stuff.

Again,.. kudos to Hak5 & crew for the effort in getting everything restored so quickly.

-Lnxr0x

[microft]

Is there an rough guess when the intruders gained access?

As far as I can tell/guess, if a user didn't login in that period of time the perpetrators could not have gotten his password.

[silentknight329]

I don't know why somebody would even wanna do this to Hak.5, they spend their time to give us knowledge and keep us entertained. I hope somebody catches this person. Thanks for getting everything up and running so quickly, and thanks for not keeping us in the dark.

~silent

[Matessim]

are you fucking serious? i really liked this password :S

[0xCD5]

I knew to use a different username/password on a site like this. Vulnerable shared hosting and unproprietary software is a bad recipe for getting hacked, too bad. Get a dedicated server, run virtual machines on it, and isolate projects from each other. Nubs.

I came here to recommend the same. Especially on a high-profile site such as this.

Since I had a shared host that got exploited on someone else's site, I closed my account (when they refused to investigate) and got a VPS account. Now I can lock down the server, pull all the crap I never use out of Apache, monitor the server, and most importantly I know exactly what scripts are running on the server.

To the Hak5 team, sorry about your server! Hope all is well, you've had some pretty shitty luck this week :)

[Dodo]

On July 20th, 2009 the server hosting Hak5.org and the Hak5 forums was hacked into and defaced via an exploit on a unrelated system. During this time the forum database was accessed and as such, passwords (which are linked to your email address) used for forum accounts have been compromised. Please login to http://www.hak5.org/forums/ and change your password, if you used this password elsewhere you will need to change these passwords ASAP. We apologize for this inconvenience.

That shouldn't be a problem. You shouldn't store passwords in plain text. The database shouldn't be hacked, and if that happens, you shouldn't even know about it. This is forum software, thus any damn page request, malicious or not, will inflict a database query.

Also, the attacker usually won't want a user account or their passwords, but rather the email addresses to sell them to spam forwarders. Sorry if this sounds rude now, but this site and its forums are simply to invaluable or irrelevant to attack for other reasons.

I'm not changing my password. May someone play havoc with this user account on THESE forums, and THESE forums only... Like as if I'm using the same password and username everywhere... come on, get real... like I would risk anything important, I want to keep to some random forums that don't rely on keeping my credentials safe... seriously... <_<

[The Sorrow]

Hey everyone,

First let me be the first to apologize for what has happened over the last two / three days.

After many cans of Red Bull, and more nicotine than I think I've ever had before there are very few issues that remain to be resolved.

Let's start on what exactly happened.

At approximately 3:30pm eastern time on Monday, the webserver that hosts Hak5 as well as 84 other non Hak5 related sites was exploited by a cross site scripting attack which resulted in the dump of a mysql field that contained the root password for the server.

The reason this password was stored is because the billing system we have in place handles orders and cancellations based on a cron job automatically.

However recently the billing system began to employ the use of a remote key hash, however not thinking about it, I never removed the root password from the other field. This mishap ended up causing the hell that has been my life for the last 48 hours.

This has been fixed, the remote access key can now only be used by scripts calling the key from the local machine. SSH certificate authentication has been enabled and password authentication is in the process of being disabled. We have modified our backup strategy and verified it's functionality. We're still working on getting the backups stored remotely and this will happen within the next week.

I want to once again sincerely apologize for the problems that this has caused to each of you, our dedicated members. It has also made me rethink exactly how I go about security on things such as this. When I offered to host Hak5, it was to save $100 per month and increase performance of the site. When we migrated the website to my server we received a number of emails about the noticeable performance increase.

It saddens me that there are those who hate what we do so much that they are willing to completely destroy what we've done without remorse or consideration, however there isn't anything we can do but to continue doing what we enjoy, bringing you weekly technolust.

I must also make this note, the attacker was not prdelka.

I've been in contact with the real prdelka (who is a weekly viewer of the show) over the past 24 hours and he has provided me with numerous valuable pieces of information on who really perpetrated this attack.

There are also others who have been instrumental in the process of getting us back online and educated as to what happened.

Mubix has done an amazing job of tracking logs and ip addresses and getting as much information as possible.

Vako has been rock solid in his support and offering to help in any way he can whether it be here on the forums, in IRC or elsewhere

The #hak5 irc guys; while we've had our differences, you've really outdone yourselves in helping out in this situation and keeping things under control in there, my hat goes off to you guys.

Steve from Rack911.com - Steve has been a good personal and professional friend of mine for a number of years, and his tireless hours in assisting me with getting the server and services on it back up and running have been an absolute life saver.

There are others I'm sure I'm forgetting, but please know that all of the help that everyone has provided during this incident has been nothing short of awe inspiring.

Once again, thank you for watching Hak5 and should you have any questions regarding this or any other topic please feel free to contact me or post them here in the forums and I'll do my best to answer them.

Thanks,

Matt

wow amazing how one small hole lets in a whole bunch of trouble. I thought the site was down for maintenance as well.

[jobdone]

Yeah this was kinda funny from our point of view (sorry matt with the red eyes...) when I came to log in all i saw was 'This Defacement is deployed in accordance to the fuqhak5 licence agreement'

'Shoutz to:'

'sky/dmc (dominic chell)'

'--prdelka/mdf/cr00k'

and the first thing that goes through your mind is , erm is this for real? but then when you think about it by the nature of your site it is a 'string to someones bow'.

p.s. take the Micr0$haft train of thought although one hole is plugged there will always be more thats why were all here right?

[rpimonitrbtch]

Well, all my passwords are different (keepass ftw) and the email address on my account is my gmail that gets spammed already, so, eh... minimal damage for me.

[jobdone]

have to admit I'm in the same boat as rpimonitrbtch however if I wasn't I still wouldn't worry , unless of course you use that email and password for something like paypal...

[h3%5kr3w]

lol, I cant ever remember what my gmail password is and I have so many different passwords and variations.. so good luck with that one you useless cracker!!

Obviously you just did it to look cool with shout outs on the page. WHHeeewwwWWW your so 1337!!! You deserve some awesome sauce!!!

Wow makes me feel like it's 2002 again! I'll bet you watch hackers 3 times a day, and getting drool all over your 300mhz power pc you friggin' idiot.

Yes I am sure you are here. It's just like an arsonist. You love to watch what happens afterward you stupit twit! Screw you and your whole game sir. You fail. Because we ARE back, and we will not stop.

[CraigHB]

Things were screwy when I visited the site the other day and could tell right off something was wrong. I've had compromised web sites plant malicious code on my machine before and I was concerned about that.

Doesn't surprise me this happened. What better target for someone trying to prove something than a site that covers both sides of the security issue. I've learned a lot already from the forum and episodes. It's a great resource for just being aware of what malicious users are capable of. Half the battle is knowing. Thanks for the heads up and it has prompted me to rethink my password security all around.