Linux Mint Forums Back After Double Attack

[Linux.Blue]

Do I have to do this CAPTCHA thing or whatever everytime I log in here? I updated my password, stronger than it was before.

[Fred Barclay]

Hi Linux.Blue. Clem mentioned that earlier--it's just a temporary thing while the forum gets straightened out.

It's annoying, I know, but we're gonna have to bear with it for a bit yet!.

[Pierre]

the captcha thingy is a known issue - it is getting some attention, though.
- be somewhat patient.

[hermes333]

Since the attack I keep receiving spams in my e-mail associated with this forum and so even if I've changed all my passwords. I hope it will stop one day. Has anyone have other solution(s) for that?

[Pierre]

what tells you that those e-mail are associated with this forum

[grizzler]

Most likely hermes333 means the e-mail address is associated with this forum, not the spam.

It wouldn't surprise me. After all, those e-mail addresses were in the stolen data. If some spammer got hold of them...

I don't see how changing passwords could fix anything. It's not as if a spammer needs your password to send you junk. No solution, apart from filtering at your ISP and/or in your mail client.

[MarcAlexander]

Yet another reason why phpBB3 has lax security.

What is another reason? Do you have anything to back up that statement? phpBB's security record shows quite the contrary.

It should be key based logins for admins, not passwords.


I also suggest putting phpBB3 under revision control, that way, the next time something happens, you have a history of what is going on, just do commits on every upgrade.

I hope you're not seriously suggesting public key authentication for a web interface.

I'm also not sure what revision control is supposed to help with.

Oh, also, if you want, you can force reactivation on ALL accounts.
(Make a backup of your DB first, in case you screw something up!)

Code: Select all

UPDATE  `YOUR_DATABASE_NAME_HERE`.`phpbb_users` SET  `user_type` =  '1' WHERE  `phpbb_users`.`user_id` != 2 AND user_type != 2;

in your phpMyAdmin go to the SQL tab, and do that command.
user #2 = founder (well, should be, so that account won't be touched.)
https://wiki.phpbb.com/Table.phpbb_users for details on user_type = 1 does. (it basically forces reactivation)

I think the Linux Mint team is more than capable of knowing how to do this. Your SQL query will actually just change every user's account to inactive but will not inform people of them having to reactivate or pick a new password.

Yeah, that isn't perfect, but, phpBB3 really blows chunks concerning security issues. They should have a option to force all accounts to reactivate easier.

I'd very much like you to back that up with actual evidence. phpBB 3 has a very good security record, especially when compared to other competitors (also commercial ones).

Most likely hermes333 means the e-mail address is associated with this forum, not the spam.

It wouldn't surprise me. After all, those e-mail addresses were in the stolen data. If some spammer got hold of them...

I don't see how changing passwords could fix anything. It's not as if a spammer needs your password to send you junk. No solution, apart from filtering at your ISP and/or in your mail client.

Changing your password after the hack will make sure that nobody can login to your account if they were to be able to recover your previous password from the database dump using bruteforcing. It will also ensure that your password is newly hashed with an even stronger hashing algorithm.

[Cosmo.]

Regarding spam by mails:

If your e-mail provider allows to create aliases for the account, do this and use this instead. Tell your mail-partner the new address. After some time there should only be spam in the old alias and you can block it completely.

If you use a free-mailer create a new account and do accordingly.

[hermes333]

I use StartMail a private and "not free" e-mail.

[grizzler]

Most likely hermes333 means the e-mail address is associated with this forum, not the spam.

It wouldn't surprise me. After all, those e-mail addresses were in the stolen data. If some spammer got hold of them...

I don't see how changing passwords could fix anything. It's not as if a spammer needs your password to send you junk. No solution, apart from filtering at your ISP and/or in your mail client.

Changing your password after the hack will make sure that nobody can login to your account if they were to be able to recover your previous password from the database dump using bruteforcing. It will also ensure that your password is newly hashed with an even stronger hashing algorithm.

That response has zero relevance to my reply, which was about hermes333 receiving spam and apparently assuming that changing his password would have prevented that.

[Reddog1]

Well, that didn't take very long. I got a notice from my ID monitor that my email address (and username associated only with this list) is for sale on the dark web. SpamAssassin is gonna be busy.

[tanker001]

Hi all, I thought it appropriate to reply with this. I have Lifelock and about an hour ago I got an email indicating that they have, "During our monitoring of your identity information, LifeLock detected the following event:"

Date Of Birth: **/**/1965
Email: *@gmail.com
Email User Name: *a**e****
Email Password: Exposed Online
Type of Compromise: breach
Where your data was found: web page
Breached Site: forums.linuxmint.com
Password Status: hashed+salt

The info from the breach is in the wind. I use a different password for 90% of the sites I access and use a password manager program to keep track of them. I'm confident that the info that was accessed is useless since I changed the password here.

[mastablasta]

is there no way to have the email addresses also encrypted?

spam is how phishing spreads.

also they took my old Ubuntu forums password.... they got hacked as well not that long ago.

by the way any chance mint could use Ubutnu One SSO as well? would that make it safer?

[Georgia boy]

Well, that didn't take very long. I got a notice from my ID monitor that my email address (and username associated only with this list) is for sale on the dark web. SpamAssassin is gonna be busy.

I too was told my email address associated with the username here was for sale on the dark web. I had already changed my password for here before I got that message. But to play safe I did again and also spent a lot of time changing a group of others.

[MtnDewManiac]

(or we could do 2-3 per second if the server and attacker were on a fast connect perhaps)

I think you can do much more than this. Additionally you need to consider that the attacker may use several computers to make the attempts.
In the case of Linux Mint, where the database is available on the HD of the hacker, a few thousands of attempts every seconds are not unlikely.


But I agree that with a 20 digits password, you are safe for several months. Nevertheless, my gmail password is 25 digits.

He also postulated that his password would be the last combination (out of all the possibilities) that would be guessed, which seems to be about as realistic as thinking that your name will be the last one in the phone book (assuming that your last name DOESN'T begin with "Zyz," lol).

To the person who mentioned using the same password for all logins, with only two or three additional characters added to differentiate each: Congratulations! You are effectively using two- or three-character passwords . Might want to fix that. Otherwise, if anyone ever decides to hack your passwords, they'll probably end up wasting the services of computerized hacking tools/software... when a four-year old could simply guess it in a couple minutes .


Regards,
MDM

[chrisuk]

For those that have problems thinking up passwords, and don't want to use a password manager; Linux already thought of this:

Type the following into the terminal

apg -s -a 1 -m 30 -n 30

You'll get 30 unique 30 character passwords. How you use these passwords is up to you (maybe encrypt a list of passwords - use another file as a coded reference to each password in the list - store both files on a usb stick - or...)

[killer de bug]

He also postulated that his password would be the last combination (out of all the possibilities) that would be guessed, which seems to be about as realistic as thinking that your name will be the last one in the phone book (assuming that your last name DOESN'T begin with "Zyz," lol).

A good password cracker is probably randomizing the attempts.


I am wondering since a few days, if it's possible to guess the length of a password by looking at the hash sum.
Meaning: if I have a 25 digits password, does the hacker know it? or does he have to try 12, 15, 20 digits passwords also?

Does the hash sum reflect the letters used? What I mean is: if my password is AAAAA, would the hash sum show a pattern? The same if it's 121212. Or does the hash consider the position of the letter and leads to a different results for the first A and for the last one.

The real question is: would a 50 digits password where you use always the same letter be more powerful than a 8 random digits password?

[Cosmo.]

I am wondering since a few days, if it's possible to guess the length of a password by looking at the hash sum.
Meaning: if I have a 25 digits password, does the hacker know it? or does he have to try 12, 15, 20 digits passwords also?

That would be the end for that hash.
You can check this yourself: Install gtkhash - ore nemo-gtkhash, which does the same, but as a properties-page of nemo - and check the hashsums (you have about 2 dozen hashes there), and compare a zero-byte file (e.g. gksu.lock in our home) with an ISO-image (about 1.5 GB): the length of the same is for both files the same, even a very weak as Adler or crc32. That means, even a legitimate admin shouldn't not be able to tell, if my password has 8 or 30 characters.

[Fred Barclay]

I know it doesn't work for wpa-handshake files. If you could guess the password length from the hash, my pen testing would have been a lot easier...

(At least, no way that I'm aware of.)

[killer de bug]

That would be the end for that hash.
[...]That means, even a legitimate admin shouldn't not be able to tell, if my password has 8 or 30 characters.

Ok! Thanks!

So theoretically, this password is really strong, because you would have to test shorter combinations before thinking of such a long (stupid) password:

Code: Select all

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa