Linux Mint Forums Back After Double Attack

Releases and other announcements.
Please don't post support questions here
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics.Please do not add support questions to threads here,use the appropriate support forum instead
Linux.Blue
Level 3
Level 3
Posts: 150
Joined: Wed Oct 02, 2013 12:00 am

Re: Linux Mint Forums Back After Double Attack

Post by Linux.Blue » Wed Mar 02, 2016 12:23 am

Do I have to do this CAPTCHA thing or whatever everytime I log in here? I updated my password, stronger than it was before.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4207
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Linux Mint Forums Back After Double Attack

Post by Fred Barclay » Wed Mar 02, 2016 12:48 am

Hi Linux.Blue. Clem mentioned that earlier--it's just a temporary thing while the forum gets straightened out.

It's annoying, I know, but we're gonna have to bear with it for a bit yet!. :lol:
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
Pierre
Level 18
Level 18
Posts: 8905
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: Linux Mint Forums Back After Double Attack

Post by Pierre » Wed Mar 02, 2016 2:35 am

the captcha thingy is a known issue - it is getting some attention, though.
- be somewhat patient.
Image
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.

User avatar
hermes333
Level 4
Level 4
Posts: 207
Joined: Fri Mar 08, 2013 12:58 pm
Location: Montréal, Québec
Contact:

Re: Linux Mint Forums Back After Double Attack

Post by hermes333 » Wed Mar 02, 2016 9:52 am

Since the attack I keep receiving spams in my e-mail associated with this forum and so even if I've changed all my passwords. I hope it will stop one day. Has anyone have other solution(s) for that?
Boîtier Thermaltake V3 Thermaltake 600W
Carte mère Asus B85M-E/CSM
Mémoire: 8 Go
Espace disque: 1 To
Processeur: Intel® i5 4570
Carte graphique: NVidia GeForce GT610
Système: Debian 9.4 Cinnamon 64 bit

User avatar
Pierre
Level 18
Level 18
Posts: 8905
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: Linux Mint Forums Back After Double Attack

Post by Pierre » Wed Mar 02, 2016 9:58 am

what tells you that those e-mail are associated with this forum :?:
Image
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.

grizzler
Level 5
Level 5
Posts: 657
Joined: Wed Jun 15, 2011 5:19 pm
Location: The Hague, NL

Re: Linux Mint Forums Back After Double Attack

Post by grizzler » Wed Mar 02, 2016 10:09 am

Most likely hermes333 means the e-mail address is associated with this forum, not the spam.

It wouldn't surprise me. After all, those e-mail addresses were in the stolen data. If some spammer got hold of them...

I don't see how changing passwords could fix anything. It's not as if a spammer needs your password to send you junk. No solution, apart from filtering at your ISP and/or in your mail client.

MarcAlexander
Level 1
Level 1
Posts: 1
Joined: Wed Mar 02, 2016 9:29 am

Re: Linux Mint Forums Back After Double Attack

Post by MarcAlexander » Wed Mar 02, 2016 10:14 am

badSparks wrote:Yet another reason why phpBB3 has lax security.
What is another reason? Do you have anything to back up that statement? phpBB's security record shows quite the contrary.
badSparks wrote: It should be key based logins for admins, not passwords.


I also suggest putting phpBB3 under revision control, that way, the next time something happens, you have a history of what is going on, just do commits on every upgrade.
I hope you're not seriously suggesting public key authentication for a web interface.

I'm also not sure what revision control is supposed to help with.
badSparks wrote: Oh, also, if you want, you can force reactivation on ALL accounts.
(Make a backup of your DB first, in case you screw something up!)

Code: Select all

UPDATE  `YOUR_DATABASE_NAME_HERE`.`phpbb_users` SET  `user_type` =  '1' WHERE  `phpbb_users`.`user_id` != 2 AND user_type != 2;
in your phpMyAdmin go to the SQL tab, and do that command.
user #2 = founder (well, should be, so that account won't be touched.)
https://wiki.phpbb.com/Table.phpbb_users for details on user_type = 1 does. (it basically forces reactivation)
I think the Linux Mint team is more than capable of knowing how to do this. Your SQL query will actually just change every user's account to inactive but will not inform people of them having to reactivate or pick a new password.
badSparks wrote: Yeah, that isn't perfect, but, phpBB3 really blows chunks concerning security issues. They should have a option to force all accounts to reactivate easier.
I'd very much like you to back that up with actual evidence. phpBB 3 has a very good security record, especially when compared to other competitors (also commercial ones).
grizzler wrote:Most likely hermes333 means the e-mail address is associated with this forum, not the spam.

It wouldn't surprise me. After all, those e-mail addresses were in the stolen data. If some spammer got hold of them...

I don't see how changing passwords could fix anything. It's not as if a spammer needs your password to send you junk. No solution, apart from filtering at your ISP and/or in your mail client.
Changing your password after the hack will make sure that nobody can login to your account if they were to be able to recover your previous password from the database dump using bruteforcing. It will also ensure that your password is newly hashed with an even stronger hashing algorithm.

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: Linux Mint Forums Back After Double Attack

Post by Cosmo. » Wed Mar 02, 2016 10:27 am

Regarding spam by mails:

If your e-mail provider allows to create aliases for the account, do this and use this instead. Tell your mail-partner the new address. After some time there should only be spam in the old alias and you can block it completely.

If you use a free-mailer create a new account and do accordingly.

User avatar
hermes333
Level 4
Level 4
Posts: 207
Joined: Fri Mar 08, 2013 12:58 pm
Location: Montréal, Québec
Contact:

Re: Linux Mint Forums Back After Double Attack

Post by hermes333 » Wed Mar 02, 2016 10:43 am

I use StartMail a private and "not free" e-mail.
Boîtier Thermaltake V3 Thermaltake 600W
Carte mère Asus B85M-E/CSM
Mémoire: 8 Go
Espace disque: 1 To
Processeur: Intel® i5 4570
Carte graphique: NVidia GeForce GT610
Système: Debian 9.4 Cinnamon 64 bit

grizzler
Level 5
Level 5
Posts: 657
Joined: Wed Jun 15, 2011 5:19 pm
Location: The Hague, NL

Re: Linux Mint Forums Back After Double Attack

Post by grizzler » Wed Mar 02, 2016 10:43 am

MarcAlexander wrote:
grizzler wrote:Most likely hermes333 means the e-mail address is associated with this forum, not the spam.

It wouldn't surprise me. After all, those e-mail addresses were in the stolen data. If some spammer got hold of them...

I don't see how changing passwords could fix anything. It's not as if a spammer needs your password to send you junk. No solution, apart from filtering at your ISP and/or in your mail client.
Changing your password after the hack will make sure that nobody can login to your account if they were to be able to recover your previous password from the database dump using bruteforcing. It will also ensure that your password is newly hashed with an even stronger hashing algorithm.
That response has zero relevance to my reply, which was about hermes333 receiving spam and apparently assuming that changing his password would have prevented that.

Reddog1
Level 3
Level 3
Posts: 144
Joined: Wed Jun 01, 2011 2:12 pm

Re: Linux Mint Forums Back After Double Attack

Post by Reddog1 » Wed Mar 02, 2016 11:34 am

Well, that didn't take very long. I got a notice from my ID monitor that my email address (and username associated only with this list) is for sale on the dark web. SpamAssassin is gonna be busy.

tanker001
Level 1
Level 1
Posts: 35
Joined: Sun Oct 26, 2014 1:46 pm
Location: Ferguson, Missouri

Re: Linux Mint Forums Back After Double Attack

Post by tanker001 » Wed Mar 02, 2016 12:02 pm

Hi all, I thought it appropriate to reply with this. I have Lifelock and about an hour ago I got an email indicating that they have, "During our monitoring of your identity information, LifeLock detected the following event:"

Date Of Birth: **/**/1965
Email: *@gmail.com
Email User Name: *a**e****
Email Password: Exposed Online
Type of Compromise: breach
Where your data was found: web page
Breached Site: forums.linuxmint.com
Password Status: hashed+salt

The info from the breach is in the wind. I use a different password for 90% of the sites I access and use a password manager program to keep track of them. I'm confident that the info that was accessed is useless since I changed the password here.

mastablasta
Level 4
Level 4
Posts: 314
Joined: Wed Dec 02, 2009 5:02 pm

Re: Linux Mint Forums Back After Double Attack

Post by mastablasta » Thu Mar 03, 2016 3:58 am

is there no way to have the email addresses also encrypted?

spam is how phishing spreads.

also they took my old Ubuntu forums password.... they got hacked as well not that long ago.

by the way any chance mint could use Ubutnu One SSO as well? would that make it safer?

Georgia boy
Level 2
Level 2
Posts: 56
Joined: Tue Oct 12, 2010 9:06 am
Location: Arizona

Re: Linux Mint Forums Back After Double Attack

Post by Georgia boy » Thu Mar 03, 2016 10:17 am

Reddog1 wrote:Well, that didn't take very long. I got a notice from my ID monitor that my email address (and username associated only with this list) is for sale on the dark web. SpamAssassin is gonna be busy.

I too was told my email address associated with the username here was for sale on the dark web. I had already changed my password for here before I got that message. But to play safe I did again and also spent a lot of time changing a group of others.
Debian testing
Hp Pav a1440n
820 Intel Pent D procces 2 process cores, 2.0GB mem,250GB HD, NVIDA GeForce 7300LE, Intel ViiV.
ASUS A53SD-TS72 Intel Cor i7-2670QM 2.20GHz, 8GB DDR3, 750GB HDD, 2GB NVIDIA GeForce GT 610M, Mint LMDE2 64 bit.

User avatar
MtnDewManiac
Level 6
Level 6
Posts: 1456
Joined: Fri Feb 22, 2013 5:18 pm
Location: United States

Re: Linux Mint Forums Back After Double Attack

Post by MtnDewManiac » Fri Mar 04, 2016 3:48 am

killer de bug wrote:
Spearmint2 wrote:(or we could do 2-3 per second if the server and attacker were on a fast connect perhaps)
I think you can do much more than this. Additionally you need to consider that the attacker may use several computers to make the attempts.
In the case of Linux Mint, where the database is available on the HD of the hacker, a few thousands of attempts every seconds are not unlikely.


But I agree that with a 20 digits password, you are safe for several months. Nevertheless, my gmail password is 25 digits.
He also postulated that his password would be the last combination (out of all the possibilities) that would be guessed, which seems to be about as realistic as thinking that your name will be the last one in the phone book (assuming that your last name DOESN'T begin with "Zyz," lol).

To the person who mentioned using the same password for all logins, with only two or three additional characters added to differentiate each: Congratulations! You are effectively using two- or three-character passwords :roll: . Might want to fix that. Otherwise, if anyone ever decides to hack your passwords, they'll probably end up wasting the services of computerized hacking tools/software... when a four-year old could simply guess it in a couple minutes :lol: .


Regards,
MDM
Mint 18 Xfce 4.12.

If guns kill people, then pencils misspell words, cars make people drive drunk, and spoons made Rosie O'Donnell fat.

User avatar
chrisuk
Level 5
Level 5
Posts: 593
Joined: Thu Jun 12, 2008 6:16 am

Re: Linux Mint Forums Back After Double Attack

Post by chrisuk » Fri Mar 04, 2016 6:16 am

For those that have problems thinking up passwords, and don't want to use a password manager; Linux already thought of this:

Type the following into the terminal

apg -s -a 1 -m 30 -n 30

You'll get 30 unique 30 character passwords. How you use these passwords is up to you (maybe encrypt a list of passwords - use another file as a coded reference to each password in the list - store both files on a usb stick - or...)
Chris

Manjaro MATE - MX Linux - LMDE MATE

User avatar
killer de bug
Level 14
Level 14
Posts: 5415
Joined: Tue Jul 08, 2008 1:49 pm
Location: Leuven, Belgium

Re: Linux Mint Forums Back After Double Attack

Post by killer de bug » Fri Mar 04, 2016 3:17 pm

MtnDewManiac wrote: He also postulated that his password would be the last combination (out of all the possibilities) that would be guessed, which seems to be about as realistic as thinking that your name will be the last one in the phone book (assuming that your last name DOESN'T begin with "Zyz," lol).
A good password cracker is probably randomizing the attempts. :)


I am wondering since a few days, if it's possible to guess the length of a password by looking at the hash sum.
Meaning: if I have a 25 digits password, does the hacker know it? or does he have to try 12, 15, 20 digits passwords also?

Does the hash sum reflect the letters used? What I mean is: if my password is AAAAA, would the hash sum show a pattern? The same if it's 121212. Or does the hash consider the position of the letter and leads to a different results for the first A and for the last one.

The real question is: would a 50 digits password where you use always the same letter be more powerful than a 8 random digits password?
If it ain't broke, fix it until it is.

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: Linux Mint Forums Back After Double Attack

Post by Cosmo. » Fri Mar 04, 2016 4:57 pm

killer de bug wrote:I am wondering since a few days, if it's possible to guess the length of a password by looking at the hash sum.
Meaning: if I have a 25 digits password, does the hacker know it? or does he have to try 12, 15, 20 digits passwords also?
That would be the end for that hash.
You can check this yourself: Install gtkhash - ore nemo-gtkhash, which does the same, but as a properties-page of nemo - and check the hashsums (you have about 2 dozen hashes there), and compare a zero-byte file (e.g. gksu.lock in our home) with an ISO-image (about 1.5 GB): the length of the same is for both files the same, even a very weak as Adler or crc32. That means, even a legitimate admin shouldn't not be able to tell, if my password has 8 or 30 characters.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4207
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Linux Mint Forums Back After Double Attack

Post by Fred Barclay » Fri Mar 04, 2016 5:10 pm

I know it doesn't work for wpa-handshake files. If you could guess the password length from the hash, my pen testing would have been a lot easier... :)

(At least, no way that I'm aware of.)
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
killer de bug
Level 14
Level 14
Posts: 5415
Joined: Tue Jul 08, 2008 1:49 pm
Location: Leuven, Belgium

Re: Linux Mint Forums Back After Double Attack

Post by killer de bug » Fri Mar 04, 2016 5:30 pm

Cosmo. wrote:That would be the end for that hash.
[...]That means, even a legitimate admin shouldn't not be able to tell, if my password has 8 or 30 characters.
Ok! Thanks!

So theoretically, this password is really strong, because you would have to test shorter combinations before thinking of such a long (stupid) password:

Code: Select all

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
If it ain't broke, fix it until it is.

Locked

Return to “Releases & Announcements”