Ubuntu Forums - FYI

Mon Jul 22 09:47:06 UTC 2013

On 2013-07-21 19:13, Istimsak Abdulbasir wrote:
> On Jul 21, 2013 10:28 AM, "Basil Chupin" <blchupin at iinet.net.au> 
> wrote:
>> On 21/07/13 23:32, compdoc wrote:
>>
>>>> Doesn't really answer the question: what system is this vBulletin 
>>>> being
>>> run on? Windows?
>>>
>>> I doubt a community that loves linux would run their systems on 
>>> windows.
>>
>> What I am surprised about is that I would have expected an avalanche 
>> of posts stating that vBulletin is being run on a server using Linux 
>> but so far no one has come up with such an assurance which indicates 
>> to me that Windows is involved.
>>
>> What is that (?)annual competition for hackers where the first prize 
>> offered is the latest model of a well known brand of laptop and where, 
>> at all such competitions, the first system to be hacked is Windows 
>> (the last time it took someone less than 2 minutes to hack it) 
>> followed by Apple, which took a just a bit longer, and Linux has yet 
>> to be hacked?
>>
>> BC
>
> Nothing is unhackable. It does not matter what system you use, linux,
> windows or MacOS. All it takes is time and determination. Linux is by
> far the best system to use for security implementation. It has many
> options. The well known one is requiring root privilege for system
> configuration. That is if the user knows what they are doing.
>
> In the case of the ubuntu forums, vbulletin was the victim and it was
> said that this software was outdated. Why canonical did not recognize
> this is a big question. Even on a secure system, if the user or admin
> don't take all the necessary steps to insure strong security, then
> anything can be hacked. This is not a reason. Remember, the system
> offers option of security. It is the user that needs to know how to
> use it.
>

I agree with the statement that nothing is unhackable. But I doubt 
Linux is the best system to use for secure implementations. It all 
depends on what you are trying to achieve with the system. There are far 
more secure systems than Linux, but most of them don't run a web server 
on the internet ;-)

The cause is indeed said to be due to vBulletin forum software that had 
not received the latest security patches. ref: 
http://www.omgubuntu.co.uk/2013/07/ubuntu-forum-hacked-users-advised-to-change-passwords 
  This does not necessarily mean that the Ubuntu team was lax, security 
patches are released all the time. It may just mean this hacker 
exploited faster than they patched.

The hacker goes by the nickname of "Sputn1k_". His(?) Twitter account 
was taken offline, but he has twittered "You can stop worrying about 
your passwords. Yes, they were encrypted. Encrypted with the default 
vBulletin hashing algorithm (md5(md5($pass).$salt). Whilst it may not be 
the strongest, when you're dealing with 1.8m users it would take a very 
long time to get anywhere with the hashes. You don't have to worry about 
a DB leak. That isn't how I like to do things." Of course if you are 
clever you dont trust what this person says and take your own 
precautions regardless ;)   Google cache may still work as reference: 
http://webcache.googleusercontent.com/search?q=cache:Tv6iViVq598J:https://twitter.com/Sputn1k_+&cd=1&hl=en&ct=clnk&gl=us&client=firefox-a

Why hackers do this? I can think of a few reasons. If you are lucky 
they do it to show that a site needs better security, and that is all. 
More realistically they do it to harvest active email addresses that 
they can sell to spammers. Sometimes hackers want to get attention and 
put up some political statement on a much-visited site. Some hackers may 
want to get into a system and place a backdoor entrance so they can come 
back later and maybe modify some source code (but those are not likely 
to deface a page like this). Worst case, they will analyse the obtained 
data in detail, try to decode passwords, and try and make the most of 
it.

@BC: you really need to read up on system security, considering the 
naive statements you are making!

Best regards,
Patrick Asselman