Lessons to be learned from XKCD forums being hacked

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
User avatar
P_I
Registered User
Posts: 955
Joined: Tue Mar 01, 2011 8:35 pm
Location: Calgary
Contact:

Lessons to be learned from XKCD forums being hacked

Post by P_I » Wed Sep 04, 2019 1:32 pm

Making the news is XKCD Forum Hacked – Over 562,000 Users’ Account Details Leaked.
As mentioned, XKCD uses phpBB, a free and open-source forum and bulletin board software built in the PHP programming software.

However, at this moment it's unclear if XKCD was using an older version of the forum software vulnerable to a security flaw or the attackers exploited any previously undiscovered flaw in phpBB to extract the data unauthorisedly.

Besides this, even if XKCD was running over phpBB version 3.1 and later, which uses more secure BCRYPT hashing algorithm, it's possible that the passwords for early users of the XKCD forum were encrypted via the older, less secure MD5 hashing method.
I recognize it is probably still early in the investigation of what happened and why.

However, other than the standard recommendations to make sure that boards are keeping up-to-date on software releases, are there any other lessons that can be learned from this news?

Added: I wonder how many XKCD users are using 'correctbatterystaplehorse' as their password?
Source:
Image
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams

User avatar
david63
Registered User
Posts: 16814
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: Lessons to be learned from XKCD forums being hacked

Post by david63 » Wed Sep 04, 2019 1:56 pm

What I don't like in these cases is the sensationalism "forums being hacked".

We have no knowledge as to what has happened in this case but my guess would be that someone, somehow has gained access to the server via a "backdoor" and accessed the database that way rather than via the software.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
P_I
Registered User
Posts: 955
Joined: Tue Mar 01, 2011 8:35 pm
Location: Calgary
Contact:

Re: Lessons to be learned from XKCD forums being hacked

Post by P_I » Wed Sep 04, 2019 2:01 pm

david63 wrote:
Wed Sep 04, 2019 1:56 pm
What I don't like in these cases is the sensationalism "forums being hacked".

We have no knowledge as to what has happened in this case but my guess would be that someone, somehow has gained access to the server via a "backdoor" and accessed the database that way rather than via the software.
That would be my original uneducated guess as well as there are many ways to be “breach” security is software systems.

Even if the breach came via a backdoor, how can/should a phpBB administrator make sure that any data gathered is not easily readable or useable?
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams

User avatar
david63
Registered User
Posts: 16814
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: Lessons to be learned from XKCD forums being hacked

Post by david63 » Wed Sep 04, 2019 2:06 pm

P_I wrote:
Wed Sep 04, 2019 2:01 pm
ow can/should a phpBB administrator make sure that any data gathered is not easily readable or useable?
Lock the backdoor - that is why you need a good sysadmin
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
John connor
Registered User
Posts: 2331
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Lessons to be learned from XKCD forums being hacked

Post by John connor » Wed Sep 04, 2019 3:45 pm

Shodan knows all. https://www.shodan.io/host/104.196.146.194

They could start by reading my advice on at least using Ninjafirewall and how to stay hidden behind CloudFlare. For a free CloudFlare account you can't beat it.

Certainly can't find my origin IP no matter how hard you try. I know all the tricks. I don't even use remote uploaded avatars or Gravatars and there is no MX record pointing to my server IP. They pay me 500 bones and I'll secure their butt.

User avatar
John connor
Registered User
Posts: 2331
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Lessons to be learned from XKCD forums being hacked

Post by John connor » Wed Sep 04, 2019 3:49 pm

Something else one needs to do is go here and enter ALL of your email addresses. That way if a database gets leaked you'll know about it.

User avatar
John connor
Registered User
Posts: 2331
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Lessons to be learned from XKCD forums being hacked

Post by John connor » Wed Sep 04, 2019 3:52 pm

P_I wrote:
Wed Sep 04, 2019 1:32 pm

Added: I wonder how many XKCD users are using 'correctbatterystaplehorse' as their password?
Source:
Image






Keepass shows that first password as 63 bits. But I guess that's Keepass' own algorithm.

Good passwords come from easy to remember song lyrics. Like, It'samansmansWorld3321@#&

Of course don't use that now because it will now be added to a wordlist. :lol:

All of my computers are encrypted and the password is well over 30 characters and committed to memory. :lol:

User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29253
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Re: Lessons to be learned from XKCD forums being hacked

Post by Marshalrusty » Wed Sep 04, 2019 9:22 pm

We've been in communication with them since the date of the incident and have offered our assistance. There is no evidence that the phpBB software was compromised. As they were running a version earlier than phpBB 3.1.11, old hashes were not updated with bcrypt for accounts where users had not logged in since their update to phpBB 3.1 from the version previously installed. More recent versions of phpBB re-hash all old hashes during the update.

I won't say any more here until they've had a chance to complete their investigation and post a statement.
Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs

Lady_G
Registered User
Posts: 234
Joined: Fri Jun 08, 2012 12:38 pm
Location: US

Re: Lessons to be learned from XKCD forums being hacked

Post by Lady_G » Thu Sep 05, 2019 12:05 am

John connor wrote:
Wed Sep 04, 2019 3:45 pm
Shodan knows all. https://www.shodan.io/host/104.196.146.194

They could start by reading my advice on at least using Ninjafirewall and how to stay hidden behind CloudFlare. For a free CloudFlare account you can't beat it.

Certainly can't find my origin IP no matter how hard you try. I know all the tricks. I don't even use remote uploaded avatars or Gravatars and there is no MX record pointing to my server IP. They pay me 500 bones and I'll secure their butt.
Good suggestion. Readers of this topic should use this opportunity to check their own board with Shodan.
Marshalrusty wrote:
Wed Sep 04, 2019 9:22 pm
More recent versions of phpBB re-hash all old hashes during the update.
That's good to know, thanks.

Update: Post edited to revise comments regarding Shodan. See below.
Last edited by Lady_G on Fri Sep 06, 2019 1:02 am, edited 2 times in total.

User avatar
P_I
Registered User
Posts: 955
Joined: Tue Mar 01, 2011 8:35 pm
Location: Calgary
Contact:

Re: Lessons to be learned from XKCD forums being hacked

Post by P_I » Thu Sep 05, 2019 2:53 am

Marshalrusty wrote:
Wed Sep 04, 2019 9:22 pm
We've been in communication with them since the date of the incident and have offered our assistance. There is no evidence that the phpBB software was compromised. As they were running a version earlier than phpBB 3.1.11, old hashes were not updated with bcrypt for accounts where users had not logged in since their update to phpBB 3.1 from the version previously installed. More recent versions of phpBB re-hash all old hashes during the update.

I won't say any more here until they've had a chance to complete their investigation and post a statement.
Thanks for the information. From my perspective it is helpful to know about the password hashes being updated if a board is running the current phpBB version.
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams

User avatar
3Di
Former Team Member
Posts: 14477
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Lessons to be learned from XKCD forums being hacked

Post by 3Di » Thu Sep 05, 2019 3:00 am

P_I wrote:
Thu Sep 05, 2019 2:53 am
From my perspective it is helpful to know about the password hashes being updated if a board is running the current phpBB version.
That's done via its cron-job, which is enabled starting from 3.1.11.
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
✒️ Black Friday 2019 @ The Studio ▪️◾️

User avatar
John connor
Registered User
Posts: 2331
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Lessons to be learned from XKCD forums being hacked

Post by John connor » Fri Sep 06, 2019 12:17 am

Lady_G wrote:
Thu Sep 05, 2019 12:05 am
Use this opportunity to check your own board with Shodan.
You honestly think I didn't? I have an account at Shodan and use it all the time. I've even emailed websites about their CVEs. Some listen others don't.

Lady_G
Registered User
Posts: 234
Joined: Fri Jun 08, 2012 12:38 pm
Location: US

Re: Lessons to be learned from XKCD forums being hacked

Post by Lady_G » Fri Sep 06, 2019 12:59 am

Sorry, that was a misunderstanding. My comment was intended for readers of this topic to check their own boards. I have revised my post.

User avatar
Freitag
Registered User
Posts: 143
Joined: Mon Jul 11, 2005 10:17 pm

Re: Lessons to be learned from XKCD forums being hacked

Post by Freitag » Wed Oct 23, 2019 8:29 pm

Marshalrusty wrote:
Wed Sep 04, 2019 9:22 pm
I won't say any more here until they've had a chance to complete their investigation and post a statement.
Has there been any more information forthcoming about since then?
No clever .sig here

User avatar
Lumpy Burgertushie
Registered User
Posts: 66905
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Lessons to be learned from XKCD forums being hacked

Post by Lumpy Burgertushie » Wed Oct 23, 2019 8:53 pm

apparently not. that most likely means that it had nothing at all to do with phpbb.

therefore, we don't need to worry about it.

robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

Post Reply

Return to “phpBB Discussion”