Yup, Somebody Cracked Slashdot

So last night a couple of guys (Nohican && {}) cracked into Slashdot. As they say, the weakest link in any security system is human: on one of our test boxes, we had a "clean" copy of Slashcode installed, with default data... including the temp admin password (God/Pete). It didn't take much after that to get into Slashdot itself. Hit the link below to read a bit more on the subject (but if you don't want to bother reading it, you should at least change your password).

What a great way to wake up! I went to bed at about 10 last night, completely exhausted (stuff unrelated to Slashdot stressing me out). I guess the upside is that I had a good night's sleep: the downside is I still haven't had a morning cup of coffee ;)

Allright, so by using the 31337 haxx0r tool known as "Common Sense", {} and Nohican managed to get a Slashcode test site's administrative access (this isn't a root shell or anything: its only a series of Web forms used to post stories, and configure various parts of the site). This was our biggest mistake: the password (God/Pete) was never changed on the test site. From there, it was a cake walk.

By exploiting a known security hole in pre-2.0 versions of Slashcode, they executed some perl of their own devising through our template system, and managed to run netcat on the the box. The hole itself required "God" access on a Slashcode site, so it was never a problem before... but since the password was the Slashcode default of God/Pete, it wasn't hard. We knew about the potential problem but since nobody ever had God access besides me, it was never a problem!

From there they managed to get ahold of our backup database (updated nightly). And due to another hole (one that is also fixed in the upcoming 2.0 "Bender" source tree ;) they managed to pull my Slashdot administrative passwd from the dump, and login as me, to the real Slashdot. (our db stores passwords in plaintext. Yes it's stupid, but I wrote this code 3 years ago and had no clue).

Apparently that's where they stopped: all they wanted was to post a story claiming victory. Immediately after that, they e-mailed us and told us how they did it. Our crack team plugged things back up immediately. (and the guys were nice enough to chat a bit with them on IRC explaining a few things).

The moral? Our biggest mistake was not changing the default data on the test site, and I'm sure that we'll patch the next version of Slashcode to require new administrators to change their passwords during installation. The eval hole (we've been working on removing this problem for some time now and replacing it with a templating system that is secure, flexible, and easier than the really crappy one we're using now) and the password problem (also fixed in bender) won't be a factor in Slashcode 2.0.

It doesn't appear at this stage that they actually did anything beyond posting their story. (We're taking all the appropriate precautions to make sure. Hugs to Yaz, Liz and Pat who are gonna have it the worst). You should also change your Slashdot User Password right now just to be safe.

The whole Slashdot authentication is ridiculously insecure. I coded it years ago when I didn't really know anything about scalability or security. Since then various bugs in Web browsers have changed a lot of things, so we decided to fix the problems in Slashcode 2.0. Unfortunately it's not done yet, but it's getting there. Of course, anyone with functioning neurons knows that you use different passwords on each system (especially Web sites where you aren't using any encryption!)

Nobody ever would have got anywhere had we just changed the default password though.

The good news is that it looks like {} and Nohican were good guys: the did the deed, took the credit, and went no further. Then they told us exactly how they did it so we could make sure it wouldn't happen again. Honestly, that's the best kind of hack. Two years ago we had the bad kind of hacker: he rooted the whole damn system and never told us how they gained entry. That sucked more than I can describe.

The bad news is that we have to pretend that these guys totally took over, and rebuild everything anyway. It's gonna be a long couple of days.

You can direct inquiries to me, but understand that I'm just a little busy right now, so I might not be able to reply to everyone.

Proper way to cover a break-in story

How refreshing! Someone breaks into a site and the FBI is not called in, pols are not running around screaming about the world coming to an end, and USA Today is not running a story about how evil hackers are about to steal every cent you have in your online bank account.

Instead, we have an open acknowledgment from the victims, a full story about what happened and what steps are being taken now, simple instructions for the users, and the proper amount of credit to the guys who cracked the site.

A little extra work for the /. crew, a good reminder for them to take security more seriously, but otherwise no big deal.

If only mainstream media could be this mature and accurate.
________________

Password

I always thought my password was ***** anyways....

This is nice to see...

This is nice to see. Big, front-page article saying they've been hacked, letting their users know. How many web sites do you think would do that for their users? Too few.

On the other hand, would we have been notified if the hackers hadn't put a big article on the front page? Food for though, but I'd like to think so.

Dave
'Round the firewall,
Out the modem,
Through the router,
Down the wire,

Cracking slashdot

Bah, I cracked slashdot years ago. How'da think I manage to get +5, funny all the time? You think I actually post something like that? Nah. It was late one night, I was karma whoring like I usually do, and I spotted this little pi symbol on the bottom of the page (it was right after they were aquired by Andover.net) and so I clicked on it.. and there it was! Full access to everything. So, I like, gave myself 5000 karma points and changed my default posting score to be +4.

Ah, if only the trolls had known...

--

This is worth $6,000,000?

And to think, Andover paid you guys over $6 million each for this site. You'd think a company willing to part with such a huge chunk of change would at least EVALUATE the site. Most companies would be all up IN your koolaid before writing such a check and their audit would have shown that this site is held together by band-aids and paperclips that are 3 years old.

It just goes to show that Andover had no interest in the *site* and it's validity or integrity ... just the eyeballs it would deliver to their advertising group.

I can't say I'm surprised one bit.

Password?

As if I care about my password. What's someone going to do, log in and post as me?
--

The Morals To Be Learned...

- Always change your default passwords (that is the easiest way to get hacked, as seen in The Cuckoo's Egg, a la Hagbard)

- Never store your passwords in plaintext. Preferably, just hash them.

- Never trust a good password to a website. I have a throw-away password I use for unencrypted web stuff; slashdot can have it, and I'm gonna keep it. If they hack my kuro5hin account, I'll survive.

- Hope for the best, expect the worst. If someone compromises your system, it doesn't matter how nice they are about it; make sure you check everything, regardless.
---
pb Reply or e-mail; don't vaguely moderate [ncsu.edu].

Re:Password?

Yup.
--

Plain text passwords??

I'll admit, I'm fairly new to the writing of code for the web, but the first thing I did on taking over someone's site admin was change the passwords from plain text in the cookies and db to crypt() (didn't want to use md5 since a lot of different scripts and programs used the db - crypt is more common).

Even so, the way I have it currently set up is a problem. Someone could grab a copy of the local encrypted cookie, then use it to connect as the user from then on. The easiest way I can think of to solve this is to have the cookie be a combination of a timeout value and the encrypted pass, and store that value in the db as well ('till timeout) but even so, at least user passwords can't be read out of the database in my current setup.

Come on, this is just common sense. It wouldn't have taken 37737 knowledge of perl to have implemented that in the first version of Slashcode.

Something to think about

Now, the fact that the default password was used to get into the box is one issue.

Another issue is how the crackers managed to get root after the fact. They exploited known security holes.

Just something to reduce my karma, but since the code is open source, bugs are supposed to be found much more quickly and fixed within a few hours given the right channels. Yet, since the bugs are supposedly easier to find (looking through source code as opposed to trying various techniques to so what happens) than in closed binaries (that is one of the main arguments for open source), we have our lesson for today.

Which is:

If you use open source products, patch early and patch often. If you reinstall an old version, plan to spend a significant amount of time applying patches. Otherwise, those well known and easily-researchable bugs will come back to haunt you in sequential order.

Having been a computer instructor for a year and a half, I have found that there is good news when an authority screws up publicly. First, it shows than no one is an authority on everything. More importantly, when a mistake is made, sometimes students can learn more by finding out how to fix something than how to do it correctly in the first place. This event will have more admins thinking about security today than a dozen security articles would have.

All my programs have but one purpose. They take the contents of RAM and place those contents into a file called 'core'

Re:Cracking slashdot

Sonny, in *my* day, we actually had to hack into the slashdot mainframe. What you have to do is find a known hacker, in our case an 8-year-old girl, and trust her to navigate the dangerous Doom-like interface of the security system with her mouse, gaining you access at the last possible second before all hell breaks loose. We had to work for our extra karma points, and we liked it!

what REALLY happened

Signal 11's karma exceeded an unsigned BIGINT and triggered a buffer overflow leading to an exploit. Slash code operators are encouraged to kick Signal 11 in the nuts until the problem goes away.

Mitnick was right!

http://dailynews.yahoo.com/h/zd/20000928/tc/mitnic k_to_it_managers_everybody_is_suspect__1 .html is a story about Kevin Mitnick's warning that people are always the weakest link in security. Here we have slashdot admins making a simple password mistake. Just imagine what the average user on a corporate network (with read access to the rest of that network) could do.

I would have made it a link, but either netscape or slashdot kept putting spaces in it because it was so long. Sorry.

Re:Plain text passwords??

The question then becomes how do you implement forgotten passwords?

Generated passwords (emailed to you) opens you up to some sort of randomization attacks.

"Hint" questions are a bad idea, because finding out the sorts of things that people use for hints on the internet is fairly trivial. If someone breaks into the DB and gets the Hints database, they can probably figure out your password. Besides, what can you use for a hint for "aF3g!5%fg" ?

A base64 encoded Unique URL to visit is probably the best thing. Mail that to the user, and get them to click on the link.

Any other thoughts on this?

Re:"Customer focus"

True enough, but do remember that the weakest link defines how strong the chain is.

So what if you encrypt passwords on the server, passwords are stored in cookies on your home machine, as well as sent plaintext over miles upon miles of internet cabling before reaching slashdot.org.

If someone really wanted everyone's slashdot passwords, all they'd have to do is sniff some connection along the way.

Hackers will always hack in. There's no such thing as an invincible system. It's just a matter of time and determination (as we've seen time and time again).

The "I got 0wN3d last night" song.

Apologies to Sam Cooke (and Art Garfunkel)

"Don't know much about TCP
Even less ICMP
Don't know how to make a subnet class
Even script kiddies would kick my ass
But if an OS that can be bought
Will install securely by default
What a wonderful thing that would be

Don't know much about LAND attack
Don't know how to spoof an IP stack
Don't know much about the port I'm on
Can't decide to leave a daemon on
If I install OpenBSD
And it does most of my work for me
What a wonderful thing that will be

Now I don't claim to be a sys admin
But now broadband's in my town
And I have to put something between me
And the people who know how to bring me down

Don't know much about DDoS
And my shell programming is a mess
Don't know how to build a firewall
Don't know much about nothin' at all
But if I can shield my root account
Without emptying my bank account
What a wonderful thing that would be."

-- Beldon // beldon@scamail.com

The previous hack - archived

While I'm sure it really sucked for cmd Taco, I thought the front page of the previous /. hack was kinda clever...

It's archived here [rootshell.com].

---