Umm WTF Hak5

[Snubs]

This was a post by Matt in a different thread:

http://hak5.org/forums/index.php?s=&sh...st&p=137368

I hope this helps to answer some of your questions.

And yes, we do know what happened and how to prevent it from happening again. And Yes, we did mention the site hack in a previous episode as well.

[wh1t3 and n3rdy]

Plus i bet all the haters would do no better of a job server security wise.

[psydT0ne]

Thanks snubs for the link to the post.

It all helps!!

[Brian Sierakowski]

I'm looking forward to the lessons learned episode.

[digip]

Id be more intersted in the "we caught the bastard" episode. Someone needs to set up a honeypot for these people.

[Zimmer]

Heh luckilly the two there where my weak passwords... so my higher stuff is good. But WTF. where the passwords stored on a server or what. Has anyone hear of this thing called HASHING and SALT!!! WTF!!!!!!!!!!!

[Seshan]

Heh luckilly the two there where my weak passwords... so my higher stuff is good. But WTF. where the passwords stored on a server or what. Has anyone hear of this thing called HASHING and SALT!!! WTF!!!!!!!!!!!

Read the threads on it and you will know what happened.

[Zimmer]

Seashan if digip was correct shouldn't they only get hashes (why not just use javascript to hash it locally and just sned the hash over http (there was no SSL!!!!!!))... I am very disappointed in who ever decided to have no ssl!

[numb3rs]

I don't want to draw any attention, but on that list someone's password is "chocolate", as well as "westside". I'm sure they've changed that by now, but doesn't that give you an idea of how crummy some people's passwords were/are?

I did notice some of the weak passwords. I don't agree with using weak passwords but I cannot say I am not guilty of doing it. Usually its for sites I really don't worry about security with. I personally grade a site and impliment a strength of password that is adequate with the site. A forum site gets the least amount of security to where my cash sites, or personal data sites get pretty damn strong passwords.

JMHO

[Netshroud]

Seashan if digip was correct shouldn't they only get hashes (why not just use javascript to hash it locally and just sned the hash over http (there was no SSL!!!!!!))... I am very disappointed in who ever decided to have no ssl!

AFAIK passwords are unfortunately sent in plaintext and hashed on the server. Even so, hashes can be broken.

[digip]

Heh luckilly the two there where my weak passwords... so my higher stuff is good. But WTF. where the passwords stored on a server or what. Has anyone hear of this thing called HASHING and SALT!!! WTF!!!!!!!!!!!

The database had the passwords stored as a hash, and salted, but they were sniffing in real time, so they could see them as they came across the wire basically, in the clear. The forums have never had SSL, so until they do, anyone who manages to sit along the path to the server can sniff this data, still. They would just have to manage to break into one of the hosted machines and escalate their privledges to monitor traffig or connect to one of the routed paths along the way and be tapped into the traffic as it comes across. Their post about SSL side channel attack smells of bullshit to me because the forums never used SSL to begin with, so in part, zf0 or whoever posted in that zine, was not giving the full details of this attack.

[Jason Cooper]

Seashan if digip was correct shouldn't they only get hashes (why not just use javascript to hash it locally and just sned the hash over http (there was no SSL!!!!!!))... I am very disappointed in who ever decided to have no ssl!

If you hash it on the local client and send the hash to the server then you actually weaken the security as the attacker could just grab your hash off the wire and then use that to login without having to break it. You could use a set of challenges and responses to remove the need to send the password or hash over the wire but that will put a lot of complexity into the client side code.

All in all I think the easiest and best setup is to be running all the important stuff over SSL, that way at least they need the servers private key to be able to sniff the traffic and decrypt it. In this case it sounds like they had this sort of access (but maybe not the skill or knowledge to sniff SSL).

[Brian Sierakowski]

If you hash it on the local client and send the hash to the server then you actually weaken the security as the attacker could just grab your hash off the wire and then use that to login without having to break it.

Do you really think so?

I think that getting the hash over the wire is slightly more secure then the password, because if you have the password... you have the password!

At least the casual network sniffer (if there is such a person) will not be able to then take your password in plain text and log into your account outright.

Either way, getting unencrypted traffic sniffed sucks, but i'd rather have my hash sniffed then my cleartext password.

[digip]

Either way, getting unencrypted traffic sniffed sucks, but i'd rather have my hash sniffed then my cleartext password.

They had access to everything, so they also would have had the salt for the hashing mechanism. Reversing it would still have taken some time, but given the will and desire to do so, they probably could have done it(although I have my doubts about their skills given what they claimed)

Passwords reversed through local OpenSSL side channel attacks.

Root access and the ability to sniff in realtime negates any security, although SSL would have made it a bit harder, it probably wouldn't have prevented it if people know what they are doing. I doubt these people had that level of skill though, as they claimed to have used a ssl side channel attack, but we don't have SSL on the forums, so who knows what they really did.

[h3%5kr3w]

well.. we can all say what we want, but in the end, if you were a smart person, then you changed your passwords, did not use the same password everywhere and life goes on. It's a forum.. I mean what can I say. We got most of our posts back, and the worst that had really happened is some of us (including me) lost our avatars.

I will have to agree though that I am looking foreward to a lesson learned ep. as well. The thing is though, is atm can they submit the information details to the masses though? I just don't know if they are going after these people, or if not, but if they are, and they want the details to be held in court, is it something that can be broadcast before hand, or even if so, do they want to. I mean think of it this way, if they have the records (or at least some of them) and they have the full details of how the hack came to be, then if they broadcast the details to the masses, what's to say that these people from zfo would not just get rid of everything and when they confronted them, everything would be as clean as a whistle? I think we should let this simmer for a while before really getting all the details, but that's just me.

Along side that, there are many more people watching hak5 than just us, including great massive hordes of script kiddies... It's to the point of thinking maybe... Do we want to let everyone know? If so what's to say that 35% of the most active forums out there wont be hacked and crapped on later by said script kiddies ya know?

More of a morality question than anything but I guess this is just one of the consequences to hak5 becoming popular...

[Brian Sierakowski]

Hrm, I didn't think of the court case thing. I'm not sure if that's what they're planning on doing, but if they are that's a legit reason to withhold some info.

However, if not, let's get it done. The damage has been done, both to the servers and politically, I think the best thing for them to do is to own the story, explain everything, and everyone gets a great real life lesson out of it.

I know I for one spent a night changing insecure passwords after the attack, but hopefully we can use this for more then just a minor wake up call.

[Seshan]

Taking them to court LOL. 1. They don't know who they are. 2. They don't know what country they are from. 3. If they where good hackers they would be clean as a whistle already. Shit like this happens all the time, hak5 isn't the first. You need to be a corporation will millions of dollars to try and take some one to court for that.

[Jason Cooper]

Do you really think so?

I think that getting the hash over the wire is slightly more secure then the password, because if you have the password... you have the password!

At least the casual network sniffer (if there is such a person) will not be able to then take your password in plain text and log into your account outright.

The point being that if the client side is converting your password to a hash and sending that hash to the server the person sniffing on the network will just adjust their copy of the client side stuff to send your hash. As they have the hash they can still try and crack it to regain your password, but the key point being if the attacker somehow managed to find an exploit on the server that lets them grab users hashes, there would be no need to crack them as they only would need the hash to log in, so as I said it would weaken the security provided by using hashes.

Either way, getting unencrypted traffic sniffed sucks, but i'd rather have my hash sniffed then my cleartext password.

If you are using different passwords for each site you log into then it shouldn't matter if they have your password or hash in the scenario described, both will get them the same distance into the system as you without them or rather their machines having to much work.