

Ubuntu Forums are back up and a post mortem - daker
http://blog.canonical.com/2013/07/30/ubuntu-forums-are-back-up-and-a-post-mortem/

======
euxneks
>>> Hooks in vBulletin are arbitrary PHP code which can be made to run on
every page load.

Terrible. Why even allow this. A terrible, horrible cludgy hack.

------
eblume
What I find most sobering about this is that it sounds like were it not for
the defacement __6 days after the hack __, no one would ever have been any the
wiser.

I know that DB-level and web-server-level intrusion detection systems exist -
can the HN community comment on what might have detected this particular
attack (even if only after-the-fact?).

------
pdknsk

      >> They used this access to download the ‘user’ table which
      >> contained usernames, email addresses and salted and hashed
      >> (using md5) passwords for 1.82 million users.
    

Somewhere, oclHashcat makes room temperature rise.

------
johnchristopher
I always suspected forums that don't have read-only or static mode would prove
to be a bad choice as knowledge repository. Google queries returned a lot of
ubuntuforums links for many ubuntu problems I encountered or random googling I
did these past few days.

------
bashinator
In the "What We've Done" section, there's no mention of changing the password
hashing algorithm away from md5 to bcrypt or PBKDF2.

~~~
richadams
Later in the page (in the "Hardening" section), they mention that they've
switched the forums to use Ubuntu SSO for authentication, instead of needing
to store forum passwords.

~~~
plywoodtrees
And I wonder what hashing approach Ubuntu SSO uses?

------
claudiug
php, md5, xss. happy

