I regularly contribute and help run a couple of Internet Bulletin Boards in my spare time, and it was while running one of these this morning that something quite interesting popped up. On this particular site I had installed PHPBB (which holds the largest Market Share for Internet boards), and my version was a bit out of date so I thought it was time to wander over to http://www.phpbb.com and grab the latest update. To my surprise I came across:
Figure 1. PHPBB warning message.
My knee-jerk reaction was Hmm, that can’t be good, and judging from the waves of comments on other sites, everyone else’s as well. Cries of “Oh no! De Interwebz is broken” or their equivalents were fairly widespread. Unfortunately a large chunk of today’s Web users spend a very short amount of time reading a page before deciding to move on or read the rest. In the case of phpbb.com – it looks like this attention span lasted about 2 lines, as line number 3 clearly reads (and in bold):
No vulnerabilities have been found in the phpBB software itself.
Excellent! It appears the Internet has not come to a grinding halt after all (unlike bog discussions over last Sunday). Some further reading on PHPBB support forums revealed that the vulnerability is in an entirely different piece of software running on the site, PHPList. This software is a newsletter manager which allows you to add and manage users along with creating and email newsletters. According to the support forums:
The attacker gained entry through the PHPList application and was able to dump a complete backup of the emails on file. He then used the same exploit to access the phpBB.com database. Both the email list from PHPlist and a copy of the phpBB.com users table were then posted publicly.
This database is from PHPBB3, which contains a much better form of encryption for password protection than PHPBB2 (MD5). Unfortunately, any user who signed up to the support site back when it was still running PHPBB2 and have not signed in since the upgrade will still have their passwords in the older format – which is easy to crack with freely available Rainbow Tables. Users are advised to reset their passwords on all other sites that they also use it for.
1) Use the 1st one for all public sites that you sign up to – bulletin boards, social networks, and the vast array of other websites that require you to give them passwords details.
2) Have a different password for your laptop/desktop, to protect against physical access to your system
3) Pick a separate password for your email account – the holy grail for password thieves. Have a search through your email messages for the words “Password” or “New Account” and the amount that will turn up is pretty scary. Compromise someone’s email and you could compromise their entire online Web activities.
Lastly, change these passwords every 6 months. If you do this, you will have gone a LONG way in keeping your online information secure. Having seperate levels of passwords is key. There is a huge number of people who blindly sign up for sites and provide both their email, and the password which is also used for their email account, as login details. If you are not used to remembering separate passwords, try and pick those with something in common. I’ll end this with a simple and easy-to-remember example.
Level-1 Password: aFiFuOf$$$
Level-2 Password: 4aF$$$Mo
Level-3 Password: ThGoThBa&ThUg
Clue: Spaghetti Westerns
Note: Don’t bother trying to access my email account with these. 🙂
Robert McArdle, Senior Antivirus Engineer