That makes sense. It would've made just as much sense for the admins to state what you just relayed in the forum notice link, just so everyone was aware.
Thanks for relaying that information, though!
Last edited:
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
MacRumors Forums: Security Leak
- Thread starter MacRumors
- Start date
- Sort by reaction score
That makes sense. It would've made just as much sense for the admins to state what you just relayed in the forum notice link, just so everyone was aware.
Thanks for relaying that information, though!
Yeah.....I never really understood why MacRumors required a password to make a comment. Like we are all anonymous anyway
How's that work, though? A moderator account should not have access to the password hash database, right? The fact that the database was able to be copied by a moderator account does strike me as placing the fault at vBulletin's feet. IOW, it seems to be that while compromising a moderator's account could be trouble for a forum (by banning users, deleting posts, and other forms of mischief) it absolutely shouldn't place any other account credentials at risk. (I've never used vBulletin in any capacity other than a user - does moderator status grant some elevated privileges on the back end?)
Your assuming that the moderator account had access to the database, the fact of the matter is it almost certainly didn't.
Look at the Ubuntu forum hack for details of how they managed to get the user database, starting with a moderator acc.
Getting to a certain level 'opens doors' so to speak.
Actually, I didn't assume that, and (not clearly, in not so many words) I stated an assumption that moderator account would NOT have access.
I'll read up on the Ubuntu forum incident, thanks. I'd forgotten such a post-mortem already existed.
That said - so I guess we've established that a moderator account can, somehow, get access to the password database. Not directly, I take it from your comments, but via some additional steps. That doesn't sound to me like it's something by design, so wouldn't it be legitimate to blame hacks like this on vBulletin, regardless of how easy it was to determine the moderator's password?
What I don't get is why Macrumors hasn't already suspended his account. Hacking might be fun for some people, but it is unethical.
Probably because Arn can get info from him. Banning someone outright when he's obviously willing to talk (to some degree) would be detrimental. He gains no real benefit, since the hacker didn't even use his own account.
I'm not downplaying the hacking, but what information will they have? Names, passwords (to MR) and your birthdate and email address. If members used different passwords for their various sites the damage is limited to the hackers knowing your password here at MR which of course you already changed.
Am I missing something, or misunderstanding the issue
They got the email you used for your MR account, plus the hashed password, which can probably be decrpyted -- so if you use the same password on here as you do on other sites, they can automatically login to your other sites (for example, my twitter account used the same email / password and was compromised).
You couldn't be more wrong about your conclusions from this incident. If a password gets stolen, you can change your password. If a fingerprint gets stolen, you can't ever change your fingerprint. Fingerprints will always be useful for things like forensics, but they are absolutely terrible for security since you leave them everywhere and can't ever change them.
Aparently the MR hacker has no plans to compromise accounts
http://arstechnica.com/security/201...-860000-passwords-speaks-were-not-terrorists/
An interesting read. But I've changed my passwords non the less.
http://arstechnica.com/security/201...-860000-passwords-speaks-were-not-terrorists/
An interesting read. But I've changed my passwords non the less.
I had some trouble too at first to start using icloud keychain. I deleted all my old passwords from the keychain and then enabled icloud keychain, after that it started to work ok.
I had the exact same issue. My Mac wouldn't save the new password automatically, so I had to manually change it using the keychain tool.
I don't understand all this paranoia on this forum. I have already explained it in other thread.... All passwords are Hashed.
Reversing MD5 hash is not really possible, as
1 - there caan be more than one string giving the same MD5
2 - it was designed to be hard to "reverse"
The goal of the MD5 and its family of hashing functions is
- to get short "extracts" from long string
- to make it hard to guess where they come from
- to make it hard to find collisions, that is other words having the same hash (which is a very similar exigence as the second one)
Think that you can get the MD5 of any string, even very long... And the MD5 is only 16 bytes long (32 if you write it in hexa to store or distribute it more easily). If you could reverse them, you'd have a magical compacting scheme.
This being said, as there aren't so many short strings (passwords...) used in the world, you can test them from a dictionary (that's called "brute force attack") or even google for your MD5. If the word is common and wasn't salted, you have a reasonable chance to succeed with rainbow tables.
Even if the hacker dumps the whole database, and, unless your password is hellokitty and it's md5 can be found on google, you're safe. Salting or not is not the question.
Passwords like M4cRumor$ ( with capital,alpha-numeric and symbols ) can never be cracked unless you have enough time; by that I mean > 80,000 years
Reversing MD5 hash is not really possible, as
1 - there caan be more than one string giving the same MD5
2 - it was designed to be hard to "reverse"
The goal of the MD5 and its family of hashing functions is
- to get short "extracts" from long string
- to make it hard to guess where they come from
- to make it hard to find collisions, that is other words having the same hash (which is a very similar exigence as the second one)
Think that you can get the MD5 of any string, even very long... And the MD5 is only 16 bytes long (32 if you write it in hexa to store or distribute it more easily). If you could reverse them, you'd have a magical compacting scheme.
This being said, as there aren't so many short strings (passwords...) used in the world, you can test them from a dictionary (that's called "brute force attack") or even google for your MD5. If the word is common and wasn't salted, you have a reasonable chance to succeed with rainbow tables.
Even if the hacker dumps the whole database, and, unless your password is hellokitty and it's md5 can be found on google, you're safe. Salting or not is not the question.
Passwords like M4cRumor$ ( with capital,alpha-numeric and symbols ) can never be cracked unless you have enough time; by that I mean > 80,000 years
Just changed my email address and password. The one I chose would apparently take 377 billion years to crack
"We're not logging in to your gmails, apple accounts, or even your yahoo accounts (unless we target you specifically for some unrelated reason),"
Sounds like they do have bad intentions.
The password itself may not be cracked, but with the hashing algorithm and the salt available, it is possible to find something that will create the same hash.
MD5 has been completely broken. It isn't a secure hashing algorithm any more.
I'll finish by quoting Bruce Schneier
"We already knew that MD5 is a broken hash function."
"I'm not losing a whole lot of sleep because of these attacks. But -- come on, people -- no one should be using MD5 anymore."
https://www.schneier.com/blog/archives/2008/12/forging_ssl_cer.html
Yep.
Plus, Apple has said that the Touch ID generates only one out of 50,000 codes - that's fewer possibilities than a 5-digit number, something that can be guessed in less than a second. Touch ID is a good and convenient replacement for a 4-digit PIN, but it's not anywhere near as good as a proper password.
For starters, this is a technical forum so users tend to be more savvy and aware of technical details. Second, a small group of people run the site and listen to users, unlike anonymous mega-corporations. Third, people do complain about other security breaches, but it's not concentrated at a single forum site!
The word " Possible" is subjective. You need time and by that I mean a lot of time.
You do realize that many words can have the same MD5 hash ie. collision but chances are really low.
Collisions are not relevant to password hashing security. Most usages of a hash function for password hashing depend on either preimage resistance, or on other properties (e.g. how well the hash function work when used within HMAC, something which cannot be reduced to any of the properties above). MD5 has actually been "weakened" with regards to preimages, but only in a theoretical way, because the attack cost is still billions of billions of times too expensive to be really tried (so MD5 is not "really" broken with regards to preimages, not in a practical way).
Indeed SHA1/SHA-2 are better and the norm today but it makes me laugh when people think that the attacker has 850,000 password now in plain text.
My 2 cents...
From what I've read, a password like M4cRumor$ would actually be very EASY to crack. At its base is two dictionary words, mac and rumors, and then the only transform on it is leet speak and common capitalization, which apparently are common rules to check for when cracking.
Ars: Anatomy of a hack: How crackers ransack passwords like qeadzcwrsfxv1331
So not only does one need a password that uses uppers, lowers, numbers and symbols, but it also needs to be a long password (say, 13 characters or more) without contain any dictionary words, nor any dictionary words changed with common substitutions...
My thought these days is that a proper password is a long (16-character? 12?) random string, unique to only that one account, handled properly (ie, not written down, not passed out, etc.) used only on sites that don't utilize MD5 (SHA256 is good enough?) Unfortunately it can still get compromised if it's just an MD5 hash, due to weaknesses that have been found over the years, but it wouldn't fall to some of the quicker methods of cracking, plus some sites don't allow long passwords, or don't allow all possible characters.
At the moment, seems like password cracking techniques (both via sheer computation power, plus more sophisticated guessing mechanisms) are improving faster than users and sites making use of passwords.