Linux Mint Forums Back After Double Attack

Releases and other announcements.
Please don't post support questions here
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics.Please do not add support questions to threads here,use the appropriate support forum instead
User avatar
karlchen
Level 20
Level 20
Posts: 11504
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Linux Mint Forums Back After Double Attack

Post by karlchen » Mon Feb 29, 2016 11:03 am

Hello, PraesesZA.

For the old passwords password hashes had been used and stored inside the database. The password hashes had been generated using phpass. phpass hashes are known to be crackable. I.e. you should assume that your old password has been cracked by now.
This is why all forum users are asked to change their passwords as soon as they return to the forum after the hack.
In case you do not know whether you used the same password on other webpages, too, well, too bad. But you should still create a new one here, unless you have already done so.

Regards,
Karl
Image
Linux Mint 19.2 64-bit Cinnamon, Total Commander 9.22a 64-bit
Haß gleicht einer Krankheit, dem Miserere, wo man vorne herausgibt, was eigentlich hinten wegsollte. (Goethe)

all41
Level 15
Level 15
Posts: 5706
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Linux Mint Forums Back After Double Attack

Post by all41 » Mon Feb 29, 2016 5:16 pm

all41 wrote:It does not seem to matter if I keep cookies or choose to delete them
as Firefox closes. My login is fine even if I set to always use private browsing mode.
I am entering my username and password manually each time--not letting ff remember
or inputting with password manager
after a couple dozen perfect logins including this morning--this afternoon I am getting CAPTCHA'd
for the first time
I suppose it's a rite of passage :|

siguie
Level 1
Level 1
Posts: 4
Joined: Fri Jun 06, 2014 8:58 pm

Re: Linux Mint Forums Back After Double Attack

Post by siguie » Mon Feb 29, 2016 5:35 pm

I'm glad you guys are back!

Thank you for all of the work you have done both for Linux Mint and this Forum :D

mdiemer
Level 3
Level 3
Posts: 130
Joined: Wed Nov 04, 2015 4:48 pm
Location: retired
Contact:

Re: Linux Mint Forums Back After Double Attack

Post by mdiemer » Mon Feb 29, 2016 6:47 pm

So, I use a password 'base' where the first x characters are the same, and then the last 2 or 3 are keyed to the particular website I'm visiting. Is this vulnerable? Do I need to stop doing this, and have a totally different PW for every site?

BTW, Mint is still a great OS and I stand with you! Keep up the great work!
Gateway GT5656, AMD Athlon 3GHz, 6GB ram, 2-500 GB hard drives, 8400GS video, UR-22 Audio

Linux.Blue
Level 3
Level 3
Posts: 150
Joined: Wed Oct 02, 2013 12:00 am

Re: Linux Mint Forums Back After Double Attack

Post by Linux.Blue » Mon Feb 29, 2016 7:47 pm

I'm a little puzzled as to whether or not my account got hacked into it. I will probably change the password anyway.
I LOVE Linux a lot, and so far I really like Linux Mint the most. This doesn't really shake my trust in this forum.

all41
Level 15
Level 15
Posts: 5706
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Linux Mint Forums Back After Double Attack

Post by all41 » Mon Feb 29, 2016 8:24 pm

mdiemer wrote:So, I use a password 'base' where the first x characters are the same, and then the last 2 or 3 are keyed to the particular website I'm visiting. Is this vulnerable? Do I need to stop doing this, and have a totally different PW for every site?

BTW, Mint is still a great OS and I stand with you! Keep up the great work!
computers excel in patten recognition and prediction

scribe
Level 1
Level 1
Posts: 3
Joined: Wed Dec 16, 2009 1:12 pm

Re: Linux Mint Forums Back After Double Attack

Post by scribe » Tue Mar 01, 2016 4:25 am

MtnDewManiac wrote:
In all seriousness - and meaning no disrespect - the news isn't that you were hacked... It's that you weren't (to our knowledge, at least :roll: ) hacked long ago, and that you actually realized that you had an intrusion.
This.

SKS
Level 1
Level 1
Posts: 14
Joined: Tue Mar 12, 2013 10:20 pm

Re: Linux Mint Forums Back After Double Attack

Post by SKS » Tue Mar 01, 2016 10:24 am

Explains why I have been getting tons of spam mail in my email box lately

lanesharon
Level 1
Level 1
Posts: 4
Joined: Sun Aug 11, 2013 1:03 pm

Re: Linux Mint Forums Back After Double Attack

Post by lanesharon » Tue Mar 01, 2016 10:36 am

I have looked all over my user control panel and I see no way to delete my account. There should be a way I can do this on PHPBB.

User avatar
Moem
Level 19
Level 19
Posts: 9715
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Linux Mint Forums Back After Double Attack

Post by Moem » Tue Mar 01, 2016 10:39 am

SKS, I doubt that; I haven't received any spam on the address I used on this forum when it was hacked.

lanesharon, send an email to admin@linuxmint.com and it'll be taken care of. It won't make you more secure, but if it's what you want, it's what you want.
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

User avatar
Spearmint2
Level 16
Level 16
Posts: 6880
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: Linux Mint Forums Back After Double Attack

Post by Spearmint2 » Tue Mar 01, 2016 10:58 am

rephugee wrote:I had hoped that Linux Mint would come back stronger and safer after this unfortunate event, but that, sadly, doesn't seem to be the case.

When logging on to the forums for the first time after the breach to change my password, being told that my chosen new password is too long(!) does not inspire any trust in the new setup. There should be no such thing as too long a password!
Do the Math. Depending on the language, an alphabet may contain 50 or more letters counting both small and caps. Add to that the numbers 0-9, the _ - and space. Even if you just say there's only 60 possible characters for use in each character space for a password, it would take brute force attack using at the maximum this amount of tries to hack the password.

60 to the power of 20 = 3.6561584e+35

or 365,615,840,000,000,000,000,000,000,000,000,000 attempts

Let's add to the fun. How many seconds in a year?Let's assume each attempt only took a second (or we could do 2-3 per second if the server and attacker were on a fast connect perhaps)

The number of seconds per year is 3.154e+7

or 31,540,000

that meansit would only take 9.9907044e+27 years to hack the password, if it was only the last combination tried which was correct. Roughly rounded off, that's 10,000,000,000,000,000,000,000,000,000 years.

I'm thinking that's sufficient for me!
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

User avatar
Pierre
Level 19
Level 19
Posts: 9234
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: Linux Mint Forums Back After Double Attack

Post by Pierre » Tue Mar 01, 2016 11:08 am

ideally - you should have unique password to to every site ..
but - that could amount to having to remember several passwords.
so - some people will write them down, somewhere.
- as long as that is kept, somewhat secure.
Image
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.

User avatar
killer de bug
Level 14
Level 14
Posts: 5415
Joined: Tue Jul 08, 2008 1:49 pm
Location: Leuven, Belgium

Re: Linux Mint Forums Back After Double Attack

Post by killer de bug » Tue Mar 01, 2016 12:55 pm

Spearmint2 wrote:(or we could do 2-3 per second if the server and attacker were on a fast connect perhaps)
I think you can do much more than this. Additionally you need to consider that the attacker may use several computers to make the attempts.
In the case of Linux Mint, where the database is available on the HD of the hacker, a few thousands of attempts every seconds are not unlikely.


But I agree that with a 20 digits password, you are safe for several months. Nevertheless, my gmail password is 25 digits.
If it ain't broke, fix it until it is.

User avatar
Panguitou
Level 1
Level 1
Posts: 1
Joined: Thu Feb 18, 2016 12:54 pm

Re: Linux Mint Forums Back After Double Attack

Post by Panguitou » Tue Mar 01, 2016 1:02 pm

karlchen wrote:Dear forum users,
All forums users should change their passwords.
Done !

Hope these hackers are too stupid to make use of the stolen files !
Wish you all the best and long live to Linux Mint !
Panguitou

User avatar
Spearmint2
Level 16
Level 16
Posts: 6880
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: Linux Mint Forums Back After Double Attack

Post by Spearmint2 » Tue Mar 01, 2016 1:10 pm

killer de bug wrote:
Spearmint2 wrote:(or we could do 2-3 per second if the server and attacker were on a fast connect perhaps)
I think you can do much more than this. Additionally you need to consider that the attacker may use several computers to make the attempts.
In the case of Linux Mint, where the database is available on the HD of the hacker, a few thousands of attempts every seconds are not unlikely.


But I agree that with a 20 digits password, you are safe for several months. Nevertheless, my gmail password is 25 digits.
Just divide the years by the added attempts per second then. However there can and may be delays on how quickly password attempts are allowed. It's limited not by the number of computers trying passwords on the account, but by the server which checks the password attempts. Also they could decide to set it so there's only 3-10 allowed attempts and then be a 2-5 minute cooling period before a password attempt on that account is allowed again, similar to the way some banks do.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

Turgid
Level 1
Level 1
Posts: 17
Joined: Thu Dec 31, 2015 2:14 pm
Location: Burnaby Canada

Re: Linux Mint Forums Back After Double Attack

Post by Turgid » Tue Mar 01, 2016 4:04 pm

Mint 17.3, Cinnamon, Asus P9x79 LE, i7-4820, 16GB, ATI R9 285
Puppy Lucid 5 multisession, K8m890, Athlon LE-1620, 4GB, GeForce 7600GS

User avatar
killer de bug
Level 14
Level 14
Posts: 5415
Joined: Tue Jul 08, 2008 1:49 pm
Location: Leuven, Belgium

Re: Linux Mint Forums Back After Double Attack

Post by killer de bug » Tue Mar 01, 2016 4:50 pm

Turgid wrote:Found this new attack at https.
http://arstechnica.com/security/2016/03 ... on-attack/
We got, at least for LMDE2 users, the update today. Therefore we are already 'protected' against this.
If it ain't broke, fix it until it is.

User avatar
Spearmint2
Level 16
Level 16
Posts: 6880
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: Linux Mint Forums Back After Double Attack

Post by Spearmint2 » Tue Mar 01, 2016 5:07 pm

Turgid wrote:Found this new attack at https.
http://arstechnica.com/security/2016/03 ... on-attack/
That should be a whole new thread. Wasn't it just last year that SSL was retired? Soon be needing a new encryption system rotating in every year it seems.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

1.618
Level 5
Level 5
Posts: 590
Joined: Fri Jun 06, 2014 9:22 am
Location: Surfing a multidimensional wave of celestial intent
Contact:

Re: Linux Mint Forums Back After Double Attack

Post by 1.618 » Tue Mar 01, 2016 5:18 pm

Got catchpha'd again today after a few hassle free logins, got more spam email arriving as well, and an email saying this new forum was hacked and my password needs to be changed, so thats done. :)

badSparks
Level 1
Level 1
Posts: 7
Joined: Tue Dec 16, 2014 1:38 pm

Re: Linux Mint Forums Back After Double Attack

Post by badSparks » Tue Mar 01, 2016 5:59 pm

Yet another reason why phpBB3 has lax security.

It should be key based logins for admins, not passwords.

I also suggest putting phpBB3 under revision control, that way, the next time something happens, you have a history of what is going on, just do commits on every upgrade.


Oh, also, if you want, you can force reactivation on ALL accounts.
(Make a backup of your DB first, in case you screw something up!)

Code: Select all

UPDATE  `YOUR_DATABASE_NAME_HERE`.`phpbb_users` SET  `user_type` =  '1' WHERE  `phpbb_users`.`user_id` != 2 AND user_type != 2;
in your phpMyAdmin go to the SQL tab, and do that command.
user #2 = founder (well, should be, so that account won't be touched.)
https://wiki.phpbb.com/Table.phpbb_users for details on user_type = 1 does. (it basically forces reactivation)

Yeah, that isn't perfect, but, phpBB3 really blows chunks concerning security issues. They should have a option to force all accounts to reactivate easier.

Locked

Return to “Releases & Announcements”