Party Vibe

An interview with the claimed authors of the hack on macrumours.com and vBulletin.com by Arstechnica…

The group that hacked MacRumors Forums and made off with password data for more than 860,000 users has no plans to use it to mass compromise the accounts of people who use the same login credentials on other sites.

The pledge was made in this post by a user who supplied confidential password details that weren’t publicly available. Among other things, that information included partial cryptographic hash corresponding to the password of MacRumors Editorial Director Arnold Kim, as well as the cryptographic salt used to increase the time required to crack it. Kim told Ars that those and other confidential details included in the post were “legit.” The user went on to defend the hack as a benign undertaking designed to sharpen the skills of both the hacker and the MacRumors administrators.

“We’re not logging in to your gmails, apple accounts, or even your yahoo accounts (unless we target you specifically for some unrelated reason),” the user known simply as Lol wrote. “We’re not terrorists. Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place.”

He continued: “Consider the ‘malicious’ attack friendly. The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public.”

In subsequent posts here and here, Lol expanded on the thinking behind the hack. “Outside of this hobby, *cough*, I do partake in whitehat activities and try to contribute to some open source projects etc. It builds quite the resumé.” The MacRumors breach, Lol added, was taken on “to test myself. I never defaced the site, I never bragged about it anywhere, I just got in and got out.”

Lol went on to counter speculation that the hack was the result of exploiting one or more vulnerabilities in VBulletin, the open-source fee-based software that powered the MacRumors forums.

“The fault lied [sic] within a single moderator,” the post stated. “All of you kids that are saying upgrade from 3.x to 4.x or 5.x have no idea what you’re talking about.”

Lol confirmed that the MacRumors password hashes totaled 860,106. Interestingly, more than half of them contained a cryptographic salt that had a length of just three “bits,” although I’m guessing Lol really meant “bytes,” which would mean each one contained just three characters.

Salts are pseudo-random strings that are appended to the plain text of passwords before they are run through a one-way hash function. Salting is designed to increase the time it takes to crack large numbers of hashes by requiring the attacker to make guesses against each hash individually instead of all at once. (Salting also prevents cracking through the use of rainbow tables, although in the age of video cards and efficient dictionary attacks made possible by Hashcat and other free cracking programs, few people use that method anymore.) To be truly effective, salts must be unique for every hash, something that generally isn’t possible with a three-byte salt.

“Anyone that’d been active recently will have a longer salt, which will slow down the hash cracking by a fraction of the time it would have taken (duplicate salts = less work [to] do, it’s like to have many with a 3 bit salt),” Lol wrote. “We’re not ‘mass cracking’ the hashes. It doesn’t take long whatsoever to run a hash through hashcat with a few dictionaries and salts and get results.”

While the confidential details included in the post proves the writer has insider knowledge into the hack, readers are advised to maintain a healthy skepticism of all remaining claims. For instance, counter to Lol’s claims, there’s no way right now to be sure the hack wasn’t executed by exploiting a VBulletin vulnerability. And of course, MacRumors account holders shouldn’t take the word of an admitted trespasser that their accounts on other sites won’t be accessed.

I’ve updated several of the posts above in light of current information about the hacking of vBulletin.com.

The following official annoucement has appeared on vBulletin.org: “Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password,” vBulletin Technical Support Lead Wayne Luke wrote in a post published Friday evening. “Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password.”

In a new development Arstechnica have posted an article on the hack. The piece concludes by suggesting all forums running vBulletin 4 or vBulletin 5 should consider shutting their doors until word of this claimed vulnerability is officially confirmed or denied. However I have to say that I find the suggestion a little extreme given the number of forums concerned. I’m also skeptical as to whether closing a forum would stop hackers if there really is a vulnerability. Still more official information from Internet Brands would be helpful..

Readers who operate websites that run on versions 4 or 5 of vBulletin should consider following Defcon’s example and disabling their user forums—at least until vBulletin officials provide assurances there are no known vulnerabilities in their software and offer an explanation of the attack that hit their site. To be clear, there is no confirmation of the claim hackers have a reliable exploit for a critical vulnerability in fully patched versions of the software. That said, the events of the past five days give good reason for concern. This article will be updated if vBulletin officials break their silence and provide much-needed guidance about their software.

Password hack of vBulletin.com fuels fears of in-the-wild 0-day attacks | Ars Technica

Some more information on the macrumours.com hack from Kerbsonsecurity:

That same day, I reached out to both vBulletin and Macrumors. I heard immediately from MacRumors owner Arnold Kim, who pointed my attention to a story the publication put up last Monday acknowledging a breach. Kim said MacRumors actually runs version 3.x of vBulletin, and that the hackers appear to have broken in using a clever cross-site-scripting attack.

“In VB3, moderators can post ‘announcements’ in the forum, and by default announcements allow HTML,” Kim explained. “The hacker or hackers were able to somehow get a moderator’s login password, and used that to embed Javascript in an announcement and waited for an administrator to load that page. Once that happened, the Javascript installed a plugin in the background that allowed [the attackers] to execute PHP scripts.”

Kim said the attackers in that case even came on the Macrumors forum and posted a blow-by-blow of the attack, confirming that the cause of the breach was a compromised moderator account. Kim said the person who left the comment was using the same Internet address as the attacker who hacked his forum, and that the moderator account that got compromised on MacRumors also had an account with the same name and password on vBulletin.com.

“Stop [blaming] this on the ‘outdated vBulletin software’,” the apparent culprit wrote. ” The fault lied within a single moderator. All of you kids that are saying upgrade from 3.x to 4.x or 5.x have no idea what you’re talking about. 3.x is far more secure than the latter. Just because it’s older, it doesn’t mean it’s any worse.”

My recommendation: Disable HTML in posts and Announcements immediately across the board (no pun!).

An additional statement from Internet Brands on the security breach of vBulletin.com:

Here is some updated information on our recent security issue that I have been asked to pass on to you.

The following is an update regarding the previously reported attack on vBulletin.com and vBulletin.org. The assessment of the attack has been completed and we wish to assure the community of vBulletin site operators and users that such attacks were not due to any inherent security vulnerability in the vBulletin software, including any zero-day vulnerability.

Based on our assessment, the attack was conducted by malicious hackers leveraging log-on data for servers on vBulletin.com and vBulletin.org to unlawfully gain access to user tables. No other vBulletin.com web servers were impacted.

Following discovery of the attack, all administrative and user passwords on vBulletin.com and vBulletin.org were changed. In addition, vBulletin.com and vBulletin.org users were notified of the attack and the need to change their passwords.

We take security matters very seriously and will continue to monitor our servers.