Over 400,000 Accounts Stolen from phpBB
It was discovered last Saturday that an attacker was able to steal thousands of user accounts, passwords, and e-mails from phpBB.com. phpBB is open source and one of the most popular internet forum packages. The attack utilized a 0-day-exploit in the PHPList third party application to gain access to the site’s server’s password and configuration files. Later, the attacker made a blog post stating that (s)he had managed to acquire over 400,000 account details. To substantiate the claims, the attacker then posted the PHPList email list and the phpBB.com’s user table.
As this was a zero day attack, at the time there was no patch that could have prevented this attack. However, PHPList was patched two weeks after the vulnerability was discovered. The exploit was first published in mid-January, coinciding with the time in which the attacker had access to the files. It is likely that the attacker learned the exploit from its publication and used it to attack phpBB.
A number of things could have been done to reduce the impact of this exploit. First, the publication of the exploit could have been delayed until a patch was developed. This potentially could have allowed the phpBB.com administrators to close the vulnerability before the attacker discovered that it had existed. If the administrators had also encrypted user information such as emails and account names, the attacker would not be able to decipher them in any meaningful amount of time. Finally, the passwords that the attacker was able to glean from the information were from passwords with unsalted MD5 hashes. Salting the hash would have significantly increased the passwords’ resistance to attacks. Additionally, using a different hash such as SHA-1 would have increased security. It has been fairly recently discovered that MD5 suffers from some design flaws that leave it susceptible to collisions.
Unfortunately, not too much further can be done about responding to these kinds of attacks. Administrators may be more wise about encrypting identifiable information, but given that this is already known, it seems that administrators in general have not yet learned that lesson. Legally, it is already against the law to intrude into other people’s systems. When it is very hard to detect and identify an attacker, law does not prove to be an adequate deterrent. Users may become more increasingly aware that their identifiable information can be stolen if they share it with other parties, but ultimately they can’t avoid doing that indefinitely (or it may prove to be too inconvenient to avoid interaction). Encrypting user information would do well to mitigate the damage of information leakages, but given the way most organizations have failed to do so thus far and are continually leaking information, this may take additional education and maybe even legislation.
link:
http://www.securityfocus.com/brief/902
http://www.heise-online.co.uk/security/phpBB-hacked-400-000-account-details-intercepted–/news/112567
http://www.phpbb.com/index.php