Finland’s NBI is leading an international police inquiry into the case of some 80,000 user names and password hashes having been published on the net. (Here is a sanitized version of the file in question.) Some passwords even went out in plain text rather than as encrypted hashes, and are therefore ready for use, no cracking required.
Additionally, some user name entries also contain the owner’s email address. This, of course, is a privacy threat, since user names, particularly unusual ones, can now be mapped to email addresses, which in turn may make it easy to determine names, street addresses, and such information.
Many credentials were gained by exploiting vulnerabilities in the phpBB, SMF and WordPress software packages, although other methods were used as well. At least the following sites have reported their users (some or all) being on the list:
- BatMUD
- forum.unimaa.net
- Frettinetti
- Hilavitkutin.com
- Kiekkoliiga
- Mesenet.org
- Rakkausrunot.fi
- Voitta.net
Whether you are an end user or an administrator, take note of the epilogue:
You’ll hear more about us sooner than you think. So don’t worry, if you weren’t on the list, wait for the next release.
A similar incident occurred a few weeks ago, when 100 user names and passwords belonging to governments and embassies were sniffed and posted.
Do not become a victim! Whether or not you are Finnish, change your password often. A good password — which obviously must not be a natural language word — is easy for you to remember, but impossible for another person to guess. Also do not share passwords between services. Instead, use a separate password for every site. Additionally, try to gauge whether the service you consider signing up for really is worth your trust; it is almost too easy to set up a web forum or similar facility while neglecting security.
If you run a web forum, social networking site, or similar service, here is more to do:
- Obtain the complete list, and check it against your user base, especially if you cater predominantly to Finnish users.
- If you can, replace passwords by a safer method, such as client certificates, or third party authentication.
- If you are stuck with password authentication, enforce safe passwords by means of system policies.
- Do not allow passwords to be transmitted in the clear. They should always be encrypted to an authenticated recipient (not to a “man in the middle”).
- Keep your systems up to date. Carefully follow the information security scene so that you will be informed of vulnerabilities as early as possible.
- Educate your users, and make sure they actually get it. If feasible, have them pass a test as a prerequisite to obtaining privileges.
Administrators of cracked servers should contact the NBI. Users whose accounts have been compromised should instead contact their local police.
Have you been affected by the aforementioned lists, or by a similar security incident? How would you advise those at risk? Please post your comments!
Post a Comment