
Notice of security breach on Ubuntu Forums - onosendai
https://insights.ubuntu.com/2016/07/15/notice-of-security-breach-on-ubuntu-forums/
======
jrowley
I like the direct communication style of this document.

~~~
creeble
Indeed, if only all such disclosures were so transparent.

I suppose transparency ends up being in reverse proportion to perceived
liability, or some approximation thereof. This seems rather minor.

------
AlphaGeekZulu
Although they obviously failed in their security efforts, I think, they did a
good job in communicating the incident. No beating around the bush.

------
zaroth

      They used this access to download portions of the ‘user’ table which contained 
      usernames, email addresses and IPs for 2 million users. No active passwords were 
      accessed; the passwords stored in this table were random strings as the Ubuntu Forums 
      rely on Ubuntu Single Sign On for logins. The attacker did download these random 
      strings (which were hashed and salted).
    

Is that a session token they are talking about? What part of the OpenID
protocol would involve saving a so-called "password" in the users table which
is really just a "random string", but which was also hashed and salted?

Ubuntuforums does use Ubuntu One for SSO, there should be no "passwords" at
all in the table, so I'm not quite sure what to make of that paragraph.
Typically session tokens are not salted and hashed, although you can actually
do that do avoid having to revoke them after a breach.

~~~
hueving
It's likely leftover schema from when a password was used instead of the SSO.
I've seen this when a system transitioned to SSO that is based on another
forum technology that also supports password. Just filled the regular password
fields with garbage basically.

------
ProxCoques
Not another one? Didn't they get p0wned a few years ago?

~~~
awill
yep.
[http://www.theregister.co.uk/2013/07/21/ubuntu_forums_breach...](http://www.theregister.co.uk/2013/07/21/ubuntu_forums_breached_18_passwords_pinched/)

------
guessmyname
> Hardening

> We’ve installed ModSecurity, a Web Application Firewall, to help prevent >
> similar attacks in the future.

> We’ve improved our monitoring of vBulletin to ensure that security patches
> are applied promptly.

What? They _just_ added a firewall in their forum? What were they thinking all
these years then? Either none of their engineers thought about adding an extra
layer of security to this website during all these years, or the chain of
command in this company is so strict that any suggestion from their engineers
is dismissed until a security breach is detected. What a shame, first Linux
Mint, and now these guys.

~~~
0x0
A "WAF" like modSecurity is not the same as a network packet firewall. And a
WAF might contain lots of heuristics and overly strict rules that might break
web applications in subtle ways.

~~~
guessmyname
What are you talking about? I am saying that they added ModSecurity just now,
why didn't they added it years ago? Whether a WAF will affect some features in
their forum has nothing to do with my comment that was intended as a critic
for the bad timing of their sysadmins. Why add ModSecurity now "after" the
breach and not before? Wasn't it obvious that someone would try to hack their
forum?

Are you just saying that my critic makes no sense?

~~~
0x0
Sorry, I thought you assumed they were talking about a "normal firewall"
missing since the start. Installing a WAF isn't always standard procedure for
LAMP stacks as far as I know, so I wouldn't fault them for not doing that
initially. Obviously they have changed their minds now :)

