phpBB Future Security?

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
Post Reply
mkruer
Registered User
Posts: 74
Joined: Mon Apr 28, 2003 7:49 pm

phpBB Future Security?

Post by mkruer » Wed Feb 25, 2009 9:28 am

First of all, sorry to hear about the hack. I am late to the game as usual, but I have some questions about future development when it comes to security.

I know a while back I brought up the idea of using hidden login/username, names that are unique but are not referenced anywhere outside of the original login. The general idea as that people do not and should not know others login/username. Because the login/username is no longer used as a descriptor, the same hashing rules can be applied to it as a password so in effect you have a double password scheme. If someone were able to get into the database, not only would they have to crack the password, but they would also need to crack the username as well; adding an additional level of security. This should be relatively easy to accomplish if there is a willingness to support this in the future.

Another idea is that hashing can also be applied to e-mails addresses, but it because a bit trickier, because the e-mails need to have the ability to be reversed. Lately I have had to use PGP to secure laptops. The first part of the process is to create a master password and then encrypt the contents of the drive. Once this is accomplished, then user keys can be associated with the master password to get into the system without having to use the master password again. So using this logic, would it be reasonably possible to as hash protect the e-mails addresses as well?

User avatar
onehundredandtwo
Registered User
Posts: 1228
Joined: Fri Nov 14, 2008 8:07 am

Re: phpBB Future Security?

Post by onehundredandtwo » Wed Feb 25, 2009 9:52 am

mkruer wrote:First of all, sorry to hear about the hack. I am late to the game as usual, but I have some questions about future development when it comes to security.
The hack was phpList and not at all related to phpBB. ;)
mkruer wrote:I know a while back I brought up the idea of using hidden login/username, names that are unique but are not referenced anywhere outside of the original login. The general idea as that people do not and should not know others login/username. Because the login/username is no longer used as a descriptor, the same hashing rules can be applied to it as a password so in effect you have a double password scheme. If someone were able to get into the database, not only would they have to crack the password, but they would also need to crack the username as well; adding an additional level of security. This should be relatively easy to accomplish if there is a willingness to support this in the future.
If the user never posted and the username was ciphered then it would work, it would only really ever be useful to an admin though. If you really wanted to be secure then you could create a PHP script that only allows you to login as an admin if you are from your IP Address.
mkruer wrote:Another idea is that hashing can also be applied to e-mails addresses, but it because a bit trickier, because the e-mails need to have the ability to be reversed. Lately I have had to use PGP to secure laptops. The first part of the process is to create a master password and then encrypt the contents of the drive. Once this is accomplished, then user keys can be associated with the master password to get into the system without having to use the master password again. So using this logic, would it be reasonably possible to as hash protect the e-mails addresses as well?
I guess it could but that adds yet another layer of complexity to phpBB that many users do not agree with. Email addresses aren't something you should really be too worried about, most users sign up with a Hotmail and it is very easy to change email addresses if the email address is spammed.

Interesting topic though, perhaps in the future some of these ideas may be put into action. :)
Need help preventing spam? Read Preventing spam in phpBB 3.0.6 and above

User avatar
Kellanved
Former Team Member
Posts: 2635
Joined: Wed Jan 26, 2005 2:48 pm
Location: Meta-level

Re: phpBB Future Security?

Post by Kellanved » Wed Feb 25, 2009 9:58 am

Login names other than the displayed usernames are under consideration, although they might have done more harm than good in the scenario we encountered. They would be more a convenience than a security feature.

Encrypting email addresses is pretty much impossible, as the encryption has to be - as you say - reversible. Thus an attacker could extract all information required for decrypting from the database and/or the filesystem.
Nocando is in Idontwanna county. No support via PM

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: phpBB Future Security?

Post by Techie-Micheal » Wed Feb 25, 2009 3:36 pm

As stated, the problem wasn't with phpBB. While we (yes, we ;)) are always working to improve the security of phpBB, phpBB3 has made gigantic leaps ahead in terms of secure coding techniques and so on. Encrypting emails, while seems like a good idea, comes with the problem of requiring a key. Where's that key stored? In the database or config file, both things that the attacker can readily access and be on his or her merry way.
Proven Offensive Security Expertise. OSCP - GXPN

mkruer
Registered User
Posts: 74
Joined: Mon Apr 28, 2003 7:49 pm

Re: phpBB Future Security?

Post by mkruer » Wed Feb 25, 2009 6:56 pm

I understand that it was not phpbb that was hacked; however that is not the point. The point that I was trying to make is that a database is only as secure as the weakest link, so we have to assume that someone will be able to read anything stored in the database verbatim. Using this logic, key data fields need to be protected beyond plain text. As a thought experiment, how could we reasonably encrypt the sensitive data.

As a though experiment how would we implement such a system. As stated above, the problem is that the password needs to be somewhat transient in nature. It can not remain in the file system nor the database.

Could the password be stored as a cron job, in memory of the server, and update/replaced every login with a rotating password.

User avatar
ChrisRLG
Former Team Member
Posts: 3420
Joined: Wed Nov 24, 2004 3:18 pm
Location: Essex, UK
Contact:

Re: phpBB Future Security?

Post by ChrisRLG » Wed Feb 25, 2009 7:47 pm

mkruer

For the forum software to be able to retrieve the email data - such as to send notification emails - it would need to be able to decrypt the data, if so it has to store that key somewhere, if it does it might just as well have the data in clear, as any hacker worth his salt will be able to access it all.

The same goes for the password to the database etc - unless the software can access a password it cannot do anything. Storing in encrypted form is just not possible.
phpBB: The All Important Rules - Bertie Bear 3.0 - No support via PM system - use the forums please.
phpBB v2: Retirement (1/1/2009) : phpBB v3: Read Me Topic - Custom BBCodes - Support Template
Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."
My Links: MS MVP (Consumer Security) - Malware Removal:University - Own Forum: Custom BBCode testing

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: phpBB Future Security?

Post by Techie-Micheal » Wed Feb 25, 2009 10:04 pm

Storing it in RAM is not that much more difficult to retrieve the information. Besides, RAM is called volatile storage for a reason. ;)
Proven Offensive Security Expertise. OSCP - GXPN

mkruer
Registered User
Posts: 74
Joined: Mon Apr 28, 2003 7:49 pm

Re: phpBB Future Security?

Post by mkruer » Fri Feb 27, 2009 8:34 pm

ChrisRLG wrote:mkruer

For the forum software to be able to retrieve the email data - such as to send notification emails - it would need to be able to decrypt the data, if so it has to store that key somewhere, if it does it might just as well have the data in clear, as any hacker worth his salt will be able to access it all.

The same goes for the password to the database etc - unless the software can access a password it cannot do anything. Storing in encrypted form is just not possible.
I understand that, but is it possible to come up with a transient key, one the shifts upon access? Let me see if I can explain this. You have a master key for the e-mails which is static. You then create a process key similar to a sid that allows accesses to the master key and then to the e-mails. The sid/key would shift and update upon access. The general idea is that the key keeps moving around more frequently then the time it would take to grab the contents of the database, so by the time the hacker got the key, it would be invalidated.

User avatar
Dog Cow
Registered User
Posts: 2495
Joined: Fri Jan 28, 2005 12:14 am
Contact:

Re: phpBB Future Security?

Post by Dog Cow » Fri Feb 27, 2009 8:49 pm

If the hacker has gotten so far as to be able to access an internal key, then something else earlier has failed. And that should probably be the primary focus instead.
Moof!
Mac GUI Vault: Retro Apple II & Macintosh computing archive.
Inside Allerton bookMac GUIMac 512K Blog

User avatar
Lumpy Burgertushie
Registered User
Posts: 66926
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: phpBB Future Security?

Post by Lumpy Burgertushie » Fri Feb 27, 2009 9:28 pm

I agree, if the hacker has access to the database at all, then you have more problems than worrying about the email or usernames and passwords.
once you have access to the database that usually means that you have access to everything on the server.

the only real problem with what the hacker did here at phpbb.com was just the fact that some people may have used the same username/passwords for more sensitive logins used elsewhere.

other than the staff, the rest of the members here would not be impacted in any serious way by someone having our login info for phpbb.com.

robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

User avatar
Nelsaidi
Registered User
Posts: 525
Joined: Mon Feb 11, 2008 1:59 pm
Location: London, UK
Contact:

Re: phpBB Future Security?

Post by Nelsaidi » Fri Feb 27, 2009 11:04 pm

Yeah, as said, first for encrypting Emails, this has to be reversible. Yes it can be made hard to gain of, but is possible, there are many things in an email which will give away parts of the pattern (if any), and in many cases, access to the database is made after the file server, access to the file server means able to decrypt (there are exceptions, such as built in cyphers which are unique). Second of all, the Login name and Username is to some extent a good idea, although im sure many people like me would use the same for both, else it sucks, I want to use Nelsaidi tbh. My password is strong me thinks, containing upper cases, lower cases, numbers and symbols, and is long, thats secure.
Image
Click here to find out what eRepublik is.

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: phpBB Future Security?

Post by Techie-Micheal » Sat Feb 28, 2009 1:11 am

nelsaidi wrote:Yeah, as said, first for encrypting Emails, this has to be reversible. Yes it can be made hard to gain of, but is possible, there are many things in an email which will give away parts of the pattern (if any), and in many cases, access to the database is made after the file server, access to the file server means able to decrypt (there are exceptions, such as built in cyphers which are unique). Second of all, the Login name and Username is to some extent a good idea, although im sure many people like me would use the same for both, else it sucks, I want to use Nelsaidi tbh. My password is strong me thinks, containing upper cases, lower cases, numbers and symbols, and is long, thats secure.
The definition of encryption is that it is reversible.
Proven Offensive Security Expertise. OSCP - GXPN

mkruer
Registered User
Posts: 74
Joined: Mon Apr 28, 2003 7:49 pm

Re: phpBB Future Security?

Post by mkruer » Sat Feb 28, 2009 1:13 am

Well this is a vetting process in the realm of ideas. Just trying to think outside of the box. Just because the hacker can get to the data, doesn't mean that there can be additional roadblocks to them reading the data. The question is how much is reasonable?

I mean that there could be something convoluted like session key pre thread. The e-mails would be encrypted globally with the usersname/password and its only when the user posts that it decrypts and encrypts it with the thread encryption. This of course would mean adding overhead to the post because now all the e-mails would have to be stored on a thread by thread basis. However if the database was hacked now the hacker needs to decrypt all the threads to get to the e-mails.

If nothing comes from it, oh well. However i do hope that others start thinking outside the box :mrgreen:

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: phpBB Future Security?

Post by Techie-Micheal » Sat Feb 28, 2009 2:02 am

mkruer wrote:Well this is a vetting process in the realm of ideas. Just trying to think outside of the box.
Of course. :)

I meant to reply with more, but somehow I didn't and pushed submit anyway. What I meant to say was this:

It is possible to encrypt things in a database (PCI requirements, for example), but it requires more of an infrastructure than what the phpBB software can provide.
Proven Offensive Security Expertise. OSCP - GXPN

Post Reply

Return to “phpBB Discussion”