tag:blogger.com,1999:blog-37798047.post7986496314456408349..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: The Importance of Being CanonicalDavid Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-37798047.post-605419468032775482020-10-16T19:33:37.312-04:002020-10-16T19:33:37.312-04:00This comment has been removed by a blog administrator.No Namehttps://www.blogger.com/profile/14264017069184971911noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-39604645937748640222009-04-11T02:43:00.000-04:002009-04-11T02:43:00.000-04:00nice postnice postwebsite design nychttp://www.atozsolution.comnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-9417291542660388562009-02-09T15:42:00.000-05:002009-02-09T15:42:00.000-05:00Hash(salt,Hash(password))Smart idea. I'm jealous I...<B>Hash(salt,Hash(password))</B><BR/><BR/>Smart idea. I'm jealous I didn't think of that.Robert Grahamhttps://www.blogger.com/profile/09879238874208877740noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-39715936877589083572009-02-09T04:21:00.000-05:002009-02-09T04:21:00.000-05:00Upgrading to salted passwords by running cracking...Upgrading to salted passwords by running cracking tool doesn't sound like very ethical. Besides, complex passwords will most likely not be regenerated with rainbow tables.<BR/><BR/>What I would have done is to take the non-salted hashes and simply hash them again, but with a salt this time. I.e what will be stored in the database would be something like:<BR/><BR/>Hash(salt,Hash(password))Erikhttps://www.blogger.com/profile/02718221303459023327noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-47799852467497048542009-02-08T18:21:00.000-05:002009-02-08T18:21:00.000-05:00An even better suggestion would be IDS/firewall op...An even better suggestion would be IDS/firewall options; like mod_security, suphp to use separate users for each application the server runs, proper db permissions to segregate applications, and even the use of Suhosin.<BR/><BR/>Canary accounts would only tell you that you've been hacked, while the above would prevent it (mod_security and Suhosin alone in this instance would've sufficed to prevent the attack between them).<BR/><BR/>Manpower doesn't really factor in to it. There's at least 50 phpBB team members, so if you think between them they can't sort out a server due to manpower issues, then you're overlooking more fundamental problems...Unknownhttps://www.blogger.com/profile/10517505653820298792noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-14804028565574275972009-02-08T17:56:00.000-05:002009-02-08T17:56:00.000-05:00To insist that phpBB was at fault for not fixing t...<B>To insist that phpBB was at fault for not fixing the issue is a stretch at best.</B><BR/><BR/>I said nothing implying phpBB was at "fault" for anything. This issue of "fault" is something you read into the post that wasn't there. This insistence of finding "fault" is a disease in the cybersecurity community that disgusts me, and hinders rational discussion of cybersecurity.<BR/><BR/>Instead, I'm trying to figure out what I could suggest to them to help them mitigate such threats in the future. Normally, this recommendation would be to keep up with Bugtraq, Full-Disclosure, Milw0rm, and similar forums. This exploit was on all three forums on Jan. 14. Moreover, this exploit shows how to patch the vuln (filter the _SERVER variable in the url somehow).<BR/><BR/>However, I doubt a site like phpBB has the manpower to either keep up with the forums, or to quickly implement mitigation strategies while keeping the system up and running. I'm not saying they are at fault for the lack of manpower, I'm saying the reality of the situation is that as a free site, they can't get the manpower, and that they have to look for other strategies that don't require manpower. I suggest a few things that can be done without spending money or manpower. For example, canary, accounts, are a cheap and easy intrusion detection system that doesn't require manpower to operate.Robert Grahamhttps://www.blogger.com/profile/09879238874208877740noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-23687541889627210692009-02-08T16:15:00.000-05:002009-02-08T16:15:00.000-05:00The milw0rm post has no suggested fix. Patching so...The milw0rm post has no suggested fix. Patching software without an official patch normally requires regression testing and the like to make sure your 'fix' not only works against the original problem, but also doesn't miss out any edge cases of the original problem and doesn't introduce security problems of its own.<BR/><BR/>Your original paragraph implied that there was a patch to be applied but no one did in time, which is my objection. <BR/><BR/>It's very easy for people to miss things. After all, everyone's human. To insist that phpBB was at fault for not fixing the issue is a stretch at best.<BR/><BR/>I'd prefer to say the real problem is the fact that phplist emulates register globals. There's a damn good reason why it's being removed.Unknownhttps://www.blogger.com/profile/10517505653820298792noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-60368567972819053782009-02-08T15:41:00.000-05:002009-02-08T15:41:00.000-05:00The milworm exploit was out on the 14th Jan, while...<B>The milworm exploit was out on the 14th Jan, while phplist didn't put out a patch until the 29th Jan. Manpower or not, no one can apply a patch that does not exist.</B><BR/><BR/>This is a good point, but wrong.<BR/><BR/>Organizations that spend a lot on security subscribe to forums like milw0rm. As soon as they see something appear on milw0rm, full-disclosure, etc. that affects them, they fix their software EVEN IF NO OFFICIAL PATCH EXISTS. If given no other choice, at least you can disable the offending software. In the case of phplist, it was an easy fix the customer can do themselves. Indeed, that's the point of open-source: you don't have to wait for the vendor to release a patch, you can simply change the source yourself.Robert Grahamhttps://www.blogger.com/profile/09879238874208877740noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-3516680001196533472009-02-08T14:33:00.000-05:002009-02-08T14:33:00.000-05:00The problem here was that they used a free "phplis...<I>The problem here was that they used a free "phplist" software, and the patch came out at the same time as the exploits. They didn't have enough manpower to get the patch installed before they were hacked.</I><BR/><BR/>This is simply untrue. The milworm exploit was out on the 14th Jan, while phplist didn't put out a patch until the 29th Jan. Manpower or not, no one can apply a patch that does not exist.Unknownhttps://www.blogger.com/profile/10517505653820298792noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-60910610046480072312009-02-08T14:30:00.000-05:002009-02-08T14:30:00.000-05:00Just a minor thing: phpBB.com was hacked two weeks...Just a minor thing: phpBB.com was hacked two weeks before a patch became available.<BR/><BR/>Good rundown otherwise, especially about the reason for the passwords being as they are.Henryhttps://www.blogger.com/profile/16271772620423578276noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-67575934063061556302009-02-07T23:28:00.000-05:002009-02-07T23:28:00.000-05:00One thing I want to point out is that the plaintex...One thing I want to point out is that the plaintext passwords the hacker posted, (about 28 thousand of them), are only the passwords that he was able to crack. There were significantly more in the MD5 database that were strong enough that he wasn't able to break.<BR/><BR/>I read your article on darkreading which implied that the passwords used on phpBB were weaker than the myspace ones. In reality it would be hard to compare the two lists until a majority of the phpBB ones are cracked. I will admit though that without a password creation policy I would expect the phpbb ones to be easier.<BR/><BR/>All that being said, I fully agree with your recommendations and conclusions.Matt Weirhttps://www.blogger.com/profile/16008062842047893999noreply@blogger.com