Notice of security breach on Ubuntu Forums
insights.ubuntu.comI like the direct communication style of this document.
Indeed, if only all such disclosures were so transparent.
I suppose transparency ends up being in reverse proportion to perceived liability, or some approximation thereof. This seems rather minor.
Although they obviously failed in their security efforts, I think, they did a good job in communicating the incident. No beating around the bush.
They used this access to download portions of the ‘user’ table which contained
usernames, email addresses and IPs for 2 million users. No active passwords were
accessed; the passwords stored in this table were random strings as the Ubuntu Forums
rely on Ubuntu Single Sign On for logins. The attacker did download these random
strings (which were hashed and salted).
Ubuntuforums does use Ubuntu One for SSO, there should be no "passwords" at all in the table, so I'm not quite sure what to make of that paragraph. Typically session tokens are not salted and hashed, although you can actually do that do avoid having to revoke them after a breach.
It's likely leftover schema from when a password was used instead of the SSO. I've seen this when a system transitioned to SSO that is based on another forum technology that also supports password. Just filled the regular password fields with garbage basically.
Not another one? Didn't they get p0wned a few years ago?
Indeed, my first thought was "again?!"
> Hardening
> We’ve installed ModSecurity, a Web Application Firewall, to help prevent > similar attacks in the future.
> We’ve improved our monitoring of vBulletin to ensure that security patches are applied promptly.
What? They _just_ added a firewall in their forum? What were they thinking all these years then? Either none of their engineers thought about adding an extra layer of security to this website during all these years, or the chain of command in this company is so strict that any suggestion from their engineers is dismissed until a security breach is detected. What a shame, first Linux Mint, and now these guys.
A "WAF" like modSecurity is not the same as a network packet firewall. And a WAF might contain lots of heuristics and overly strict rules that might break web applications in subtle ways.
What are you talking about? I am saying that they added ModSecurity just now, why didn't they added it years ago? Whether a WAF will affect some features in their forum has nothing to do with my comment that was intended as a critic for the bad timing of their sysadmins. Why add ModSecurity now "after" the breach and not before? Wasn't it obvious that someone would try to hack their forum?
Are you just saying that my critic makes no sense?
Sorry, I thought you assumed they were talking about a "normal firewall" missing since the start. Installing a WAF isn't always standard procedure for LAMP stacks as far as I know, so I wouldn't fault them for not doing that initially. Obviously they have changed their minds now :)