As someone who had to look after a relatively large vBulletin install (13000 users) for a number of years, I wasn't exactly dazzled by their competence either!
I'd go as far to say that vBulletin is a pile of crap.
Sure vB is crap... and then you look at the other options out there and realize they're even worse. Especially 5-10 years ago when many of the sites using vB started using it. It's wildly successful - at least in the niche I'm familiar with - for a reason. It's reasonably cheap, reasonably easy to work with even for nontechnical people, works reasonably well, and looks decent.
Every time I open the admin interface shivers run down my spine. I don't understand how anyone can find that 'easy to work with'. I'm technical so maybe that's it.
But you are right; the competition (at least it used to be; haven't needed any forums recently and the last one I made myself) was every far worse.
I've had to deal with the multi-day aftermath of an XSS worm twice. That's when you realise that it's as bad as it is. After that it was "get fucked" and move to phpbb which while is not a stellar product it seems to be put together with a modicum of common sense and has a responsive community and support.
Nope. Just not a fan of adding piles of abstraction on top of something that just crawls already. To be honest I'd use a different language/platform if you need to use patterns like that where they perform (java/c#).
Bit of a "no true scotsman" that one as well. Just because someone doesn't use Zend doesn't mean they write spaghetti.
I'm actually stunned by the terrible quality of most bulletin-board software. It's telling that every forum I enjoy frequenting is one where the developers pulled a NIH and re-invented the wheel.
> We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.
> Enter in your existing password followed by your new password, twice for confirmation.
> Save this page at the bottom.
> Please choose a new password and do not use the same password you used with us previously. We also highly recommend that you chose a password that you are not using on any other sites.
> If you have any additional questions or concerns, please feel free to contact our support team at http://www.vbulletin.com/go/techsupport or support@vbulletin.com.
> Sincerely,
Of course I reset the password to another generated LastPass one, but I did wonder what the scope of the attack was.
I wish they would refer to password hashes as password hashes and not call them 'encrypted passwords'. Encrypted passwords screams that you don't understand security and were storing real passwords instead of hashes. (Or, more properly, salted hashes.)
Yes a cryptographic hash (like MD5 or SHA etc) stores a non-reversible string. Encryption means that it reversible but lets be honest here, when writing an article most laymen understand the general idea of encryption as opposed to hashing.
I'd really like to see how this hack works for general knowledge and if it's purely via the script itself and not a server attack.
Don't forget that most symmetric encryption algorithms can be used as a hash. Just encrypt a known plaintext (usually all NUL bytes) using the password as the key.
If you do that and only that, you open yourself up to related-key attacks. A better approach would be to use a well-known scheme like the Merkle–Damgård construction.
If tech journalists would use the right terms that would at least help lead the public towards a better understandings of this issue. I presume they say 'encrypted' as their generally means 'not plain text' to the lay person. To be fair, we do call these cryptographic hashes.
By the way, if anyone is wondering how VBulletin forums store passwords... It's md5(md5(password)+salt).
if my memory is correct this is because they don't have access to $password; they get md5($password) from the client and to store that in the database with a salt need to run md5() again.
Maybe we should just give up and tolerate the non-technical usage of those terms. The situation with "hash" vs. "encrypt" seems just as hopeless as with "hacker" vs. "cracker".
I realize "hash" is too technical, but "encrypt" is a technical term with a different meaning.
If they'd just used a vague handwavy word like "encoded" we'd be left wondering what they did to the passwords and it would still be just as legible to the laymen, instead of being given an actually incorrect piece of information.
And a "cracker" is a subset of hackers. So as much as it makes self-identified hackers cringe, it is correct to say that a hacker broke into a system.
In ordinary usage, "encrypt" means "to change information from one form to another, especially to hide its meaning" (Merriam-Webster). It doesn't necessarily mean reversible, although in programmer jargon it does.
So hashing is a subset of encrypting, just like crackers are a subset of hackers.
I'd think "ordinary usage" would be by cryptographers and other cryptography-related personnel, not laypeople. Most of the people around where I live don't even know what cryptography is, and it's hit-and-miss whether or not they've heard of encryption.
From a theoretical point of view, hash functions are not only a subset of block ciphers: hash functions and block ciphers are equivalent. You can take a hash function and build a block cipher from it (use a Feistel network). You can also take a block cipher and build a hash function from it (use the Merkle–Damgård construction).
But even if you can build one from the other, saying something is 'encrypted' implies, in even the meanest definition, that it can be decrypted. If the layperson definition does not include this aspect, then it is, well, wrong. Even if you disagree on this point, I would expect a tech journalist to endeavor to use the correct, field-standard terminology, regardless, because as Pxtl says, anyone who is familiar with even the basics of cryptography will interpret "encrypted password" in an incorrect way (i.e., they'll see it as what Adobe did).
This is getting ridiculous now. I've had my password stolen probably at least four times this year.
I think that the browser developers should push for a keychain of random, generated passwords and use as many UI pointers as possible to push people to use these. Apple's implementation in Safari is what we should be aiming for, but pretty useless to me as I have Linux/Windows/Android devices that don't support Safari.
The problem with KeePass, LastPass, etc. is that you need to hear about them, look them up, and install them. Things would be much simpler if the browser included a similar functionality by default.
Unfortunately, all three major browser vendors seem too busy pushing their own single sign-on schemes (Chrome: Google account, IE: Microsoft account, Mozilla: Persona). So they're unlikely to pay any attention to plain old password generation and storage for the foreseeable future. Which is a real pity because passwords aren't going to disappear overnight.
I use LastPass, thank you very much. My only complaint is that most other people don't, and I think browser vendors are partly to blame for not doing what they can to bring about a large-scale adoption of password generation & storage best practices.
LastPass is a browser plugin. KeePass is a standalone application but it can pass credentials to your browser to save you the trouble of having to copy/paste them.
I've been using LastPass for a long time and even purchased their their Enterprise version for $work. I also use KeePass and recommend both.
I own a license of vBulletin. After approximately a year of experience with their codebase I decided that burning off my eyeballs with a hot spoon would be more fun. I wouldn't know where to start to describe just how bad their software is.
It doesn't end there. The folks who own vBulletin run a whole series of communities themselves:
At one point into configuring vBulletin I realized they had code in there that would allow them to monitor your site's traffic and performance. Which is genius if you run hundreds of sites yourself and want "probes" out there to discover areas that you could launch sites into. And, it is even more brilliant if you can have these "probes" be people who pay you to use software you produce. Imagine thousands of business experiments actually paying you and feeding you audience data. That really didn't sit well with me and a number of people who were awake while installing and configuring their vB software. The vast majority of folks running vB communities either don't care or don't have a clue.
There are other issues. Maybe someone else has the time to chime in.
I guess my point is that password security might not be at the top of their priority list.
I haven't touched the codebase in quite some time. My recollection might be a little off. If I remember correctly, when you integrate Google Analytics through the admin panel you are integrating a flavor of Google Analytics that actually passes the data through the vBulletin mothership.
Like I said, I stopped using vB a long time ago. For all I know they've fixed this issue. Please don't take my word for it as current versions might behave differently. If you are a vB user I suggest you ask in their various official and unofficial support forums.
Some good points there. I've always kept an eye on such business practices.
I worked for a SaaS ecommerce outfit a few years ago and they sold their stuff to all the competitors in the same market space. After a bit, they yanked it with 28 days' notice and went into direct competition with them. Assholes. Strikes me as the same sort of company.
Well, just go to their website (link in prior post) and you can see they run hundreds of forums. That always rubbed me the wrong way. I didn't learn about this until much after I purchased my vB license. Had I seen this prior to making that decision I would not have used their software. I wasn't trying to build a large community. I just thought it was a huge violation of ethics to sell people software and then go off and compete with your own customers. This isn't disclosed in the vB site. You have to dig to find who owns vB and then it's kind of in the fine print. The average prospective buyer is unlikely to discover this until much later, if ever.
There are 2 types of websites. Those which are important enough for you to remember a password for and those which aren't. Well the 50 or so which aren't important enough have one password and this password has been compromised at least 5 times this year. As far as I know people haven't been logging into my accounts but I guess there is nothing stopping them.
I find it really difficult to understand how this happens so often. In many cases it seems like security is an after-thought and procedures are poorly implemented.
If it is true that the vulnerability exploited has been in vB since version 4.. that means it has been there for 3 years! I wonder how sophisticated it really was? I wonder when the vBulletin last got an external security audit done..
Slightly off-topic, but is it common for an hacking team nowadays to have a facebook page? I could understand twitter for announcements, but the facebook interaction feels out of place, or is it just me?
Also, "We wanted to prove that nothing in this world is not safe" has a double negation, so they wanted to prove that there is something out there that could be safe?
46 comments
[ 2.3 ms ] story [ 90.8 ms ] threadI'd go as far to say that vBulletin is a pile of crap.
But you are right; the competition (at least it used to be; haven't needed any forums recently and the last one I made myself) was every far worse.
I've had to deal with the multi-day aftermath of an XSS worm twice. That's when you realise that it's as bad as it is. After that it was "get fucked" and move to phpbb which while is not a stellar product it seems to be put together with a modicum of common sense and has a responsive community and support.
Bit of a "no true scotsman" that one as well. Just because someone doesn't use Zend doesn't mean they write spaghetti.
> We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.
> To regain access to your account:
> Visit the vBulletin forums at http://www.vbulletin.com/settings/account
> Enter in your existing password followed by your new password, twice for confirmation.
> Save this page at the bottom.
> Please choose a new password and do not use the same password you used with us previously. We also highly recommend that you chose a password that you are not using on any other sites.
> If you have any additional questions or concerns, please feel free to contact our support team at http://www.vbulletin.com/go/techsupport or support@vbulletin.com.
> Sincerely,
Of course I reset the password to another generated LastPass one, but I did wonder what the scope of the attack was.
I received the same one and it didn't come from vbulletin's domain name. If you go to the root of the domain name it says "Test page."
When you click the "read in browser" option you are taken to a page where all the links to access the forums do not work.
I thought it was a phishing attempt.
> http:// click.shopping.ibemail. com/
Not that it matters, I never follow links in emails and went direct to vbulletin.com
I bet they emailed everyone on their stolen email list though.
I'd really like to see how this hack works for general knowledge and if it's purely via the script itself and not a server attack.
By the way, if anyone is wondering how VBulletin forums store passwords... It's md5(md5(password)+salt).
if (md5(password + salt) == stored value) ..
If they'd just used a vague handwavy word like "encoded" we'd be left wondering what they did to the passwords and it would still be just as legible to the laymen, instead of being given an actually incorrect piece of information.
And a "cracker" is a subset of hackers. So as much as it makes self-identified hackers cringe, it is correct to say that a hacker broke into a system.
"encoded passwords".
So hashing is a subset of encrypting, just like crackers are a subset of hackers.
From a theoretical point of view, hash functions are not only a subset of block ciphers: hash functions and block ciphers are equivalent. You can take a hash function and build a block cipher from it (use a Feistel network). You can also take a block cipher and build a hash function from it (use the Merkle–Damgård construction).
But even if you can build one from the other, saying something is 'encrypted' implies, in even the meanest definition, that it can be decrypted. If the layperson definition does not include this aspect, then it is, well, wrong. Even if you disagree on this point, I would expect a tech journalist to endeavor to use the correct, field-standard terminology, regardless, because as Pxtl says, anyone who is familiar with even the basics of cryptography will interpret "encrypted password" in an incorrect way (i.e., they'll see it as what Adobe did).
I think that the browser developers should push for a keychain of random, generated passwords and use as many UI pointers as possible to push people to use these. Apple's implementation in Safari is what we should be aiming for, but pretty useless to me as I have Linux/Windows/Android devices that don't support Safari.
Unfortunately, all three major browser vendors seem too busy pushing their own single sign-on schemes (Chrome: Google account, IE: Microsoft account, Mozilla: Persona). So they're unlikely to pay any attention to plain old password generation and storage for the foreseeable future. Which is a real pity because passwords aren't going to disappear overnight.
http://www.chromium.org/developers/design-documents/password...
Looks like this is being done.
I've been using LastPass for a long time and even purchased their their Enterprise version for $work. I also use KeePass and recommend both.
It doesn't end there. The folks who own vBulletin run a whole series of communities themselves:
http://www.internetbrands.com/
At one point into configuring vBulletin I realized they had code in there that would allow them to monitor your site's traffic and performance. Which is genius if you run hundreds of sites yourself and want "probes" out there to discover areas that you could launch sites into. And, it is even more brilliant if you can have these "probes" be people who pay you to use software you produce. Imagine thousands of business experiments actually paying you and feeding you audience data. That really didn't sit well with me and a number of people who were awake while installing and configuring their vB software. The vast majority of folks running vB communities either don't care or don't have a clue.
There are other issues. Maybe someone else has the time to chime in.
I guess my point is that password security might not be at the top of their priority list.
I found the code for the "anonymous survey", but you have to submit it manually.
Edit: I think you might mean the news loaded remotely in the Admin CP upon every login. It's injected in the page as is.
Like I said, I stopped using vB a long time ago. For all I know they've fixed this issue. Please don't take my word for it as current versions might behave differently. If you are a vB user I suggest you ask in their various official and unofficial support forums.
I worked for a SaaS ecommerce outfit a few years ago and they sold their stuff to all the competitors in the same market space. After a bit, they yanked it with 28 days' notice and went into direct competition with them. Assholes. Strikes me as the same sort of company.
There are 2 types of websites. Those which are important enough for you to remember a password for and those which aren't. Well the 50 or so which aren't important enough have one password and this password has been compromised at least 5 times this year. As far as I know people haven't been logging into my accounts but I guess there is nothing stopping them.
I find it really difficult to understand how this happens so often. In many cases it seems like security is an after-thought and procedures are poorly implemented.
If it is true that the vulnerability exploited has been in vB since version 4.. that means it has been there for 3 years! I wonder how sophisticated it really was? I wonder when the vBulletin last got an external security audit done..
Also, "We wanted to prove that nothing in this world is not safe" has a double negation, so they wanted to prove that there is something out there that could be safe?