Cracking phpBB passwords for fun and, well, just for fun
During the last weekend, about 80 000 of password hashes (with other user details) were stolen from various Finnish web forums. Or as the authors put it:
We cracked 78 000 (ok, almost 79 000) accounts around the net andof course we’d like to share them with you, right. Mostly finnish accounts, so maybe it would be better to have this prologue in finnish too.
Rest of the introduction is, as they mention, in Finnish (the authors pretended to be Swedes who were helped by a Finnish translator, who in turn went with the same name as a script kiddie featured couple of weeks ago on Finnish television in a documentary piece on computer security) so I won’t go into that here. Suffice to say, the ranting is similar to those found on .nfo-documents in “scene releases”.
It’s worth to note that the authors did not actually “crack” any of the passwords, just stole the hashes. This is a good thing, as some (basic) level of knowledge about hashes and programming is required before the list is of any use.
Some 30 000 passwords were simple MD5-hashed passwords, presumably from phpBB forums. Other 30 000 were salted SHA-1 hashes (according to the authors of the password list, from SMF forum software), which are infeasible to crack on the wholesale by an average user. Rest were simple SHA-1 passwords of undetermined source and, what’s worrying, plain-text passwords for one certain Finnish website.
The most worrying piece of information in these files, however is the e-mail addresses. Along the username-password combinations, about half of the entries also listed the e-mail address for the user. The affected forums were quick to reset the passwords of their users, but more clever people have no doubt tried to access the e-mail accounts with the passwords found in the list – it’s common knowledge that many people, in addition to using insecure passwords in the first place, use the same (insecure) password everywhere. It doesn’t have to stop there, because simple Google search on username/e-mail address is bound to find other sites (Facebook, Gmail, …) the user, whose details were leaked, has an account on – presumably with the same password.
The authors have committed several crimes, including unlawful use, intrusion and “disturbing of computing peace” and some personal record privacy crimes. There have been couple of high profile DDOS-attacks in Finland in the past, in which the National Bureau of Investigation has really shown their lack of skill handling these issues. As far as I know, the real persons behind the attacks have not been identified, but the police got pranked by a screenshot distributed on the net as a joke, took it as the real deal and declared in the news that they got some good leads from that screenshot. In the end, I think, one of the “DDOS-attacks” was actually just a misconfigured Apache web server.
The police and CERT-FI were quick on this case too, even though I wouldn’t count attacking couple of ice hockey and role playing phpBB-based forums’ publicly disclosed security vulnerabilities as serious as a DDOS-attack against national broadcasting company. The real issue here is that I think the police and CERT-FI are afraid of is copycat crimes, as the internet is full of vulnerable WordPress and phpBB installations. By taking action now I believe they hope to discourage further attacks. The attacks against these vulnerable apps (PHP having notoriously bad security record) and cracking unsalted MD5/SHA-1 passwords are simple – pre-computed MD5 rainbow tables are readily available on the web. (As a sidenote, those users who happened to have somewhat common Finnish letters “ö” or “ä” in their passwords are a bit better off, because these pre-computed tables usually omit them.)For more information, I recommend this introduction to hash cracking by Coding Horror.
This attack, or password leak, is in my opinion not something the cops should focus too much efforts on. The leak was most likely made “just for fun” or was an innocent victim for more targeted attack against a user or group of users on affected forums. If I had access to the attacked user databases, I would compare the lists and see what discrepancies there are. The authors say in their introduction that they have “left some e-mail addresses out by purpose”. The missing users and/or their e-mails and, what’s more important, different password hashes than the ones in the file (if any) would probably give some hints to the investigators. Too bad that the forum webmasters have already tampered with the databases (without back-ups) so that this kind of forensics is probably impossible to do anymore. Also correlating the databases to find which common users there were might give clues to intended targets, if there were any.
The real problem is that these kinds of attacks are easy and usually the results are not publicly released. Unless the attacker wants to attack a certain website, simple Google-search will come up with suitable targets (or, non-up-to-date phpBB forums). These kinds of attacks are probably happening all the time and might go unnoticed. The webmaster is responsible to keep all public internet services he runs up to date and secure. The developer of web application should read what are the best practices of password storage (f.e. individually salted hashes, like SMF seems to do).
The best advice to a user is to use long passwords. A rainbow table of all MD5 hashed passwords up to 6 characters (mixalpha-numeric-all-space) is 2 GB in size, but the same list with passwords up to 8 characters, but with only lower alphabets (a-z) and numbers is already 36 GB.
A leak like this is a Christmas come early for any security researcher interested in computer security in the real world. With some simple data manipulation it’s easy to pull out, for example, the top 10 most used passwords or do simple statistics on other interesting characters of real-world passwords (average length, are they mixed-case?, are there numbers?).
Unfortunately doing this analysis is probably illegal so I won’t go into that here, but I read on the net that for example, “salasana” (or password in Finnish) was really common, as was “qwerty” and “123456”. More thorough analysis would tell us how many used their username or first name as their password. Of course, this information also helps to create more efficient (smaller in size, better in success rate) rainbow tables.
Related posts:
