LXLabs ticket system compromised(?) / WHT related apparently

Portal Home > Knowledgebase > Articles Database > LXLabs ticket system compromised(?) / WHT related apparently

Posted by UNIXy, 04-04-2009, 12:08 PM
Hello, We received the following email from LXLabs, verbatim. Unfortunately I can't find anything on this in WHT (the search functionality is not the best around) Prior to the above email, there was a nasty email, apparently, from the attacker with offensive language. My question is, how did the attacker decrypt the WHT password when we were told they are hashed and salted? Perhaps LXLabs is confused on this? What else as compromised? Could they have gained root access to the master nodes (oh oh)? Regards Last edited by UNIXy; 04-04-2009 at 12:13 PM.
Posted by DigitalLinx, 04-04-2009, 12:21 PM
See; http://www.webhostingtalk.com/showthread.php?t=851661 http://www.webhostingtalk.com/showthread.php?t=851642 http://forum.lxlabs.com/index.php?t=...11005&start=0& Apparently they had a very weak, probably dictionary word for a password, in which case it's trivial to reverse just about any encryption scheme out there no matter how secure/slow key/s it is. I never received an email from lxlabs concerning this, weird.
Posted by UNIXy, 04-04-2009, 12:28 PM
Thanks so much for the quick post and links. Regards
Posted by fwaggle, 04-04-2009, 12:31 PM
This is just my understanding of vB's password storage, I could very well be incorrect as I'm not a vB developer or have any real experience with it. 1) Take plaintext password, MD5 it. 2) Take that hash, add to it the salt. 3) MD5 result and store it or compare to stored hash. Now, the chief strength of this is that in the case of gaining access to MySQL or exploiting SQL injection, without access to the salt which is stored in the vB config files, the hashes you have in the database are essentially worthless. Obviously, if they root the website somehow and can make off with both the database and the config file containing the salt, it does not make the passwords impervious, in fact all it does is make brute forcing them slightly more expensive computationally - because each iteration of MD5 has to run twice, I would imagine in this day and age concatenating the salt would be negligible. Again, that's just my limited understanding. But I don't see how, if someone can make off with all parts of the system - database and business logic included - you could consider password hashes impervious. But what do I know? As I said in a couple of other threads, if a site you have an account on is hacked, consider your password compromised. Or better yet, consider your password compromised the moment you register it with a site - having multiple accounts on different sites with the same password leads to exactly these kinds of scenarios.
Posted by UNIXy, 04-04-2009, 12:40 PM
Like DigitaLinx said, it's very possible LXLabs had a simple easily reversible dictionary password, which didn't even cross my mind, myself having such high expectation from the company. Thanks for the insight, Jamie. Regards
Posted by Scott.Mc, 04-04-2009, 02:13 PM
Given the fact the password they used to WHT was used for their helpdesk would indicate how pathetic their password security actually was and that was most likely why it was easy to brute force. Even with the salt the hash itself is easy enough to bruteforce against all possible combination (reasonable length) in a few hours. That is the assumption that it was easily brute forced but it is also possible that it was a good password and it was already in plain text (IE not encrypted) which as we found out several months ago, the authentication for this forum when it was compromised then was changed to remove the client side hashing and log the passwords in plain text upon login. So it's not far fetched to believe this could have been running for a very long time without anyone even knowing about it, the only reason WHT administrators even knew is because users on the forum noticed, not the system administrators - which in itself speaks volumes.
Posted by Scott.Mc, 04-04-2009, 02:19 PM
Out of curiosity from my last post to now (around 2 minutes???) that is how long it taken to obtain the passwords for 5 of the 7 lxlabs users on WHT (All using the same pass) and you wouldn't believe what it is, I seriously hope that isn't what they were using. If it was all of them deserve to be shot and should shut their business down immediately.
Posted by UNIXy, 04-04-2009, 08:33 PM
What a mess! This is sad.
Posted by LoganNZ, 04-04-2009, 08:52 PM
Leaders of the Hosting Community epic fail at the point of security, where are the " Professionals " running this forum? Big breach...
Posted by Xous, 04-05-2009, 04:47 AM
WHT probably made several mistakes in the way they setup their infrastructure. Most people tend to setup their security to protect from outside threats which causes huge problems when a single host is penetrated. This is pure speculation but I'd love to see a case study on the attack out of curiosity. The real problems in this certain case is: a) They used an extremely weak password if Scott.Mc is correct. b) They used the same password for multiple systems. c) They did not change the password when notified of the potential problem. d) They did not have a policy in place to insure that passwords for all of their systems were changed. e) They allow remote admin access from untrusted networks. I trust that LXLabs has learned a valuable lesson. It certainly was an expensive one.