Page 3 of 7

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 8:43 pm
by Eaglecat
I am puzzled as to why I got this email to change my password. I only signed in as a new member on Feb 26th.

Has the site been hacked again since Feb 18th? Do I really need to change my password?

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 9:10 pm
by ciaobello
If you created after they robbed/hacked the db you don't need to change anything.
In the other hand, what does it cost you to do so and start using a Program like KeePassX? :wink:
The team just remembers the users to avoid being responsible for a bigger disaster.

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 10:16 pm
by Kurt3162
Note that the hack was on February 20th, and the notification emails were sent over a week later (I just got mine today, the 29th).
People having already changed their passwords (like myself) or registered after the date don't need do anything.

Forum Security

Posted: Mon Feb 29, 2016 10:49 pm
by hlewis
I reset my password, as requested. I assume you have cleaned up all the affected code/scripts, etc..

Re: All forums user should reset their password

Posted: Mon Feb 29, 2016 11:27 pm
by [deXter]
Question - if the site was hacked on the 18th/20th, why is the email being sent out only now?

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 12:31 am
by victorsk
Clem,

PHP is notorious for having weak security and there are vulnerabilities to exploit with Apache server too. I suggest switching to Java-based forums, it will be a pain to switch but is worth it. If you don't believe me, check out this article:

http://www.veracode.com/four-out-of-fiv ... assessment

Also, I'm surprised your servers are not making use of SE Linux or grsec?

Good luck,
Victor.

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 12:35 am
by sdibaja
ciaobello wrote:...
In the other hand, what does it cost you to do so and start using a Program like KeePassX? :wink:
....
I resist keeping sensitive data in the cloud, especially all of my passwords, just one password unlocks it all. Nothing is bullet proof.
BTW: KeePass got hacked a couple years ago... could happen again

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 12:44 am
by Kurt3162
victorsk wrote:PHP is notorious for having weak security and there are vulnerabilities to exploit with Apache server too. I suggest switching to Java-based forums, it will be a pain to switch but is worth it. If you don't believe me, check out this article:

http://www.veracode.com/four-out-of-fiv ... assessment

Also, I'm surprised your servers are not making use of SE Linux or grsec?
I don't know for sure, but I think I've heard they got pwned through WorldPress, which is indeed a liability.
Besides I don't think they have their own servers running behind the cupboard; They most likely have a hosting plan with a provider and the servers are pretty much professionally hardened. Of course if you go running leaky stuff on them, all bets are off... :roll:

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 12:46 am
by Eaglecat
[deXter] wrote:Question - if the site was hacked on the 18th/20th, why is the email being sent out only now?
A very good question. In particular, if they only got around to sending out the email today (I only received mine today), I think it would have avoided confusion and unnecessary concern to simply state in the email something like:

"If you a have either changed your password or joined the Linux Mint forum after "relevant date", then you can ignore this message."

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 1:59 am
by sdibaja
Eaglecat wrote:
[deXter] wrote:Question - if the site was hacked on the 18th/20th, why is the email being sent out only now?
A very good question. In particular, if they only got around to sending out the email today (I only received mine today), I think it would have avoided confusion and unnecessary concern to simply state in the email something like:

"If you a have either changed your password or joined the Linux Mint forum after "relevant date", then you can ignore this message."
February 28th, 2016 at 11:29 pm
Hope you’ll send e-mail notifications as soon as possible to everyone or else I don’t think you’ll doing serious job about it.

Edit by Clem: We will. As soon as the server was back up we tried to mass-email via phpbb. That failed, probably because of the huge number of accounts. We need to find a way to parse the list and send emails by bunch, hopefully without getting our MTA flagged as a spambot. It’s taking more time than I’d like and it’s been delayed because we’ve had to address other very sensitive issues at the very same time (deploying an update to detect hacked installations for instance), but it’s on our list and we’ll try to get it done asap.

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 2:19 am
by mjh_op
I've changed my password, but won't the attacker continue to try to crack the new one? If so, I'm as vulnerable as before, though with a stronger password.

At logon, my account is marked as having too many logon attempts and I have to use the Captcha. Does this stop the attacker from continued automated attempts at cracking my password?

Can I delete my account and sign up with a new user id, which will be harder for the attacker to obtain?

Better, can the logon be email/password rather than userid/password. Then the userids in the forum won't be useable for cracking passwords. I've changed my email address in my profile, but on reflection I doubt that makes any difference to security.

Re: Forum Security

Posted: Tue Mar 01, 2016 4:31 am
by Moem
I'm not seeing a question in what you posted, but in case it helps: they have, in fact, replaced the whole forum. Different software that's more up to date.

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 5:43 am
by mivat
sdibaja wrote:
ciaobello wrote:...
In the other hand, what does it cost you to do so and start using a Program like KeePassX? :wink:
....
I resist keeping sensitive data in the cloud, especially all of my passwords, just one password unlocks it all. Nothing is bullet proof.
BTW: KeePass got hacked a couple years ago... could happen again
You don't have to store your keywallet in a cloud. Also if your system is compromised it doesn't really matter if you used a wallet or not, you simply consider everything as compromised.
What's the alternative to a wallet? I want a secure (long) unique password for every site I use. And I wouldn't consider paper pencil as more secure.

@Linux Mint team, thanks for transparency, lot of businesses handle it much worse.
// I private message when logging in with a notification would make sense imo

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 7:12 am
by re-pute.it
I was able to connect to the forums over tor, however when I tried to change my password, I was blocked by Sucuri.

I hope that there is not going to be an ongoing policy of forcing users off the tor network? Please advise.

Thanks,
Mark

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 7:20 am
by Cosmo.
mjh_op wrote:I've changed my password, but won't the attacker continue to try to crack the new one? If so, I'm as vulnerable as before, though with a stronger password.
If you move through the Internet, you are in the risk of getting the victim of an attack. Here (the LM forum) or anywhere.
But there have been changes made to make the forum more safe, So you are not "as vulnerable as before".
mjh_op wrote:At logon, my account is marked as having too many logon attempts and I have to use the Captcha. Does this stop the attacker from continued automated attempts at cracking my password?
The captcha is not intended, but a not yet solved configuration problem.
mjh_op wrote:Can I delete my account and sign up with a new user id, which will be harder for the attacker to obtain?
This will not enhance your safety in any way.
mjh_op wrote:Better, can the logon be email/password rather than userid/password.
I doubt that. The main part is the password. With up to 30 characters and at best with randomly generated signs (practically only usable with a password manager) cracking the password would need more time, than it is practically doable for an attacker.
If I would change anything (as admin) I would - if technically with the software doable - raise the upper limit for the password.
A delay between 2 login attempts (even only one ore a few seconds) could be a security enhancement (but only if the current login problem is solved).

But as long as users exist, who choose something like "password", "secret" or "qwerty" for the password, this is all theoretical.

Re: All forums user should reset their password

Posted: Tue Mar 01, 2016 7:36 am
by xenopeek
re-pute.it wrote:I hope that there is not going to be an ongoing policy of forcing users off the tor network?
Before we switched to Sucuri it was also the case that some connections from VPNs, proxies, or Tor exit nodes were blocked at times because those were known sources of spam. Speaking as a forum team member only; it's more important to keep the forum free from spam for all users than it is for you to be able to visit the Linux Mint forums anonymously. The volume of spam (adult content, illegal material, fake goods, phishing attempts, scams, malware links, and so on) is such that without such blocks in place the forum would become unusable.

Linux Mint Forum compromised email

Posted: Tue Mar 01, 2016 7:58 am
by Barny
Hi

I received this email supposedly from Linux Mint Forums. How true is this or just a scam.

The Linux Mint forums software was compromised by an external attacker. As a result, the attacker has gained access to read your username, email address and an encrypted (hashed and salted) copy of your password from the forum database.

If you have used this password and email address to authenticate at any other website, you are urged to reset the password on those accounts immediately as the attacker may be able to use the compromised personal information to access these other accounts. It is important to have a distinct password for different accounts.

Please also take the time to change your forums.linuxmint.com account password.

For any queries or questions related to this incident, please visit the following topic:

viewtopic.php?f=60&t=217506

We apologize for any inconvenience to the Linux Mint community, thank you for your understanding.

The Linux Mint administration team.

Re: Linux Mint Forum compromised email

Posted: Tue Mar 01, 2016 8:06 am
by Cosmo.
It is true and intended that you got it. Follow the link in the mail (or in your full quote).

Re: Linux Mint Forum compromised email

Posted: Tue Mar 01, 2016 8:14 am
by Barny
When my name isn't stated at the start of an email, I would never follow a link in such an email. I see when I tried to login, it tells me I have tried too many times and I have to submit a puzzle, which I obviously have or I wouldn't be writing this.

This is the first time I have visited this site for well over a year, so definitely not me trying to login.

Re: Linux Mint Forum compromised email

Posted: Tue Mar 01, 2016 8:25 am
by karlchen
Barny wrote:I would never follow a link in such an email.
Basically correct approach!
Nonetheless, this is one of the very few exceptions where no kind of fraud has been intended.
This is the thread which you were asked to visit:
All forums user should reset their password
As you have already changed your forum password once after the hack, there should be no need to change it again so soon. Of course, you are free to change it in regular intervals nonetheless.
I see when I tried to login, it tells me I have tried too many times and I have to submit a puzzle
This currently happens to a lot of us. We enter the correct logon credentials. Nonetheless we are directed to the captcha login page and have to enter our login credentials plus solve the captcha. Decided to consider it a kind of challenge for the moment.
It will be fixed some day to our amazement. And we are going to miss it. :wink: