Largest Bulletin Board providers compromised

I regularly contibute and help run a couple of Internet Bulletin Boards in my spare time, and it was while running one of these this morning that something quite interesting popped up. On this particular site I had installed PHPBB (which holds the largest Market Share for internet boards), and my version was a bit out of date so I thought it was time to wander over to http://www.phpbb.com and grab the latest update. To my surprise I came across:

Hmm - that can't be good was my knee jerk reaction, and judging from the waves of comments on other sites, everyone elses as well. Cries of "Oh Noes! De Interwebz is broken" or their equivalent where fairly widespread. Unfortunately a large chunk of todays internet users spend a very short amount of time reading a page before deciding to move on or read the rest. In the case of phpbb.com - its looks like this attention span lasted about 2 lines, as line number 3 clearly reads (in bold):

No vulnerabilities have been found in the phpBB software itself.

Excellent! It appears the internet has not come to a grinding halt after all (unlike last Sunday). Some further reading on the PHPBB support forums shows that the vulnerability is in an entirely different piece of software running on the site, PHPList - A newsletter manager which allows you to add and manage users along with creating and email newsletters. According to the Support Forums:

The attacker gained entry through the PHPList application and was able to dump a complete backup of the emails on file. He then used the same exploit to access the phpBB.com database. Both the email list from PHPlist and a copy of the phpBB.com users table were then posted publicly.

This database is from PHPBB3 which contains a much better form of encryption for password protection that PHPBB2 (MD5). Unfortunately any users who signed up to the support site back when it was still running PHPBB2, and have not signed in since the upgrade will still have their passwords in the older format - which is trivial to crack with freely available Rainbow Tables. Users have been advised to reset their passwords on all other sites that they also use it for.

Password Policy

I've already refered to Password Policy in a previous post, but heres another little tip - Pick and remember 3 different passwords (more on chosing strong passwords in the previous blog post).

1) Use the 1st one for all public sites that you sign up to - bulletin boards, social networks, and the vast array of other web sites that seem to need you to give them passwords details

2) Have another different password for your laptop/desktop itself, to protect against physical access to your system

3) Lastly pick a seperate password for your email account - the holy grail for password theives. Have a search through your emails for the words "Password" or "New Account" - scary the amount that will turn up. Compromise someones email and you compromise their entire online web activity.

Lastly - change these passwords every 6 months. If you do this you will have gone a LONG way to keeping your information secure online. Having seperate levels of passwords is key - the amount of people who blindly sign up for sites and provide both their email, and the password which is also used for their email account, as login details is scary. If you are not used to remembering seperate passwords, try and pick some have something in common. I'll end this with a simple easy to remember example (Note: Don't bother trying to access my email account with these :) )

Level-1 Password: aFiFuOf$$$
Level-2 Password: 4aF$$$Mo
Level-3 Password: ThGoThBa&ThUg

Clue: Spaghetti Westerns

NOTE: The Hacker who carried out the attack has posted a very interesting step by step here - http://hackedphpbb.blogspot.com/2009/01/place-holder.html