UbuntuForums got breached... again

[LeadCrow]

Notice of security breach on Ubuntu Forums
15 July 2016, by Jane Silber

There has been a security breach on the Ubuntu Forums site. We take information security and user privacy very seriously, follow a strict set of security practices and this incident has triggered a thorough investigation. Corrective action has been taken, and full service of the Forums has been restored. In the interest of transparency, we’d like to share the details of the breach and what steps have been taken. We apologise for the breach and ensuing inconvenience.

What happened
At 20:33 UTC on 14th July 2016, Canonical’s IS team were notified by a member of the Ubuntu Forums Council that someone was claiming to have a copy of the Forums database.

After some initial investigation, we were able to confirm there had been an exposure of data and shut down the Forums as a precautionary measure. Deeper investigation revealed that there was a known SQL injection vulnerability in the Forumrunner add-on in the Forums which had not yet been patched.

What the attacker could access
The attacker had the ability to inject certain formatted SQL to the Forums database on the Forums database servers. This gave them the ability to read from any table but we believe they only ever read from the ‘user’ table.

They used this access to download portions of the ‘user’ table which contained usernames, email addresses and IPs for 2 million users. No active passwords were accessed; the passwords stored in this table were random strings as the Ubuntu Forums rely on Ubuntu Single Sign On for logins. The attacker did download these random strings (which were hashed and salted).

What the attacker could not access
We know the attacker was NOT able to gain access to any Ubuntu code repository or update mechanism.

We know the attacker was NOT able to gain access to valid user passwords.

We believe the attacker was NOT able to escalate past remote SQL read access to the Forums database on the Forums database servers.

We believe the attacker was NOT able to gain remote SQL write access to the Forums database.

We believe the attacker was NOT able to gain shell access on any of the Forums app or database servers.

We believe the attacker did NOT gain any access at all to the Forums front end servers.

We believe the attacker was NOT able to gain any access to any other Canonical or Ubuntu services.

What we’ve done
Cleanup

• We backed up the servers running vBulletin, and then wiped them clean and rebuilt them from the ground up.
• We brought vBulletin up to the latest patch level.
• We reset all system and database passwords.

Hardening

• We’ve installed ModSecurity, a Web Application Firewall, to help prevent similar attacks in the future.
• We’ve improved our monitoring of vBulletin to ensure that security patches are applied promptly.

 

[Empire]

vBulletins or Ubuntus fault?

 

[doubt]

vBulletins or Ubuntus fault?

there was a known SQL injection vulnerability in the Forumrunner add-on in the Forums which had not yet been patched.

 

[zappaDPJ]

there was a known SQL injection vulnerability in the Forumrunner add-on in the Forums which had not yet been patched.

Related to this perhaps: https://theadminzone.com/threads/se...eta-1-replaced-by-beta-2.140772/#post-1057782

If so it would suggest the Ubuntu Forums failed to patch their vBulletin installation leaving it unprotected from a known vulnerability.

 

[LeadCrow]

Apparently an outdated install/addon.
The prevalence of this as a cause of breaches is alarming. Maybe vBS should be more proactive in making sure admins don't keep running unsecure installs.

 

[we_are_borg]

On 15 of July 2016 Ubuntu Forums was hacked. The forum was hacked because of an add-on Forumrunner that had an SQL injection vulnerability, the forum software was vBulletin. Ubuntu Forums has patched the software, appearently there are patches availible but they did not install them on time.

Read more here: http://insights.ubuntu.com/2016/07/15/notice-of-security-breach-on-ubuntu-forums/

 

[MikeDVB]

Apparently an outdated install/addon.
The prevalence of this as a cause of breaches is alarming. Maybe vBS should be more proactive in making sure admins don't keep running unsecure installs.

Proactive how? They already email active licensees about bugs/issues/patches don't they?

Not keeping things up to date isn't just a vBulletin issue though...
http://forums.mddhosting.com/topic/...that-you-keep-all-of-your-scripts-up-to-date/
http://blog.mddhosting.com/2016/07/...is-very-important-that-they-are-find-out-why/

I can't remember the last time an account was compromised purely due to a bad password... But accounts are compromised almost every day due to scripts with security holes - more often than not holes that are already patched if the user kept up-to-date.

 

[terrymason]

I hate it when a company starts their we got hacked email notification with "We take information security and user privacy very seriously".

 

[ozzy47]

I hate it when a company starts their we got hacked email notification with "We take information security and user privacy very seriously".

How would you suggest they start off?

"We got hacked, too bad for you"

 

[MikeDVB]

I hate it when a company starts their we got hacked email notification with "We take information security and user privacy very seriously".

Personally I'd prefer they not have to start such a message off at all - but if they do - what would you suggest?

 

[terrymason]

How would you suggest they start off?

"We got hacked, too bad for you"

It's like me saying:
I will not tolerate violence, and take all acts of violence seriously. Earlier today I went on a rampage, walking around the office kicking each of my co-workers in the shorts.

It feels disingenuous for companies to talk about how serious they are about security in they same communication where they admit they failed to secure customer data.

It my site was hacked then I'd probably give a factual report of what happened, and not pay lip service to how strict my security practices are - it's obvious they weren't good enough.

 

[ozzy47]

It my site was hacked then I'd probably give a factual report of what happened, and not pay lip service to how strict my security practices are - it's obvious they weren't good enough.

It don't matter how good you think your security is, there is always someone out there that can break it. Don't get on a high horse and think your are untouchable. There has been people hacked that get paid to not be hacked, governments, stores, Google, etc.

 

[terrymason]

It don't matter how good you think your security is, there is always someone out there that can break it. Don't get on a high horse and think your are untouchable.

I may have failed to communicate effectively here, I do not have superior security. I intended to say that when a company gets hacked the first thing they seem to do is talk about how good their policies are, and Hardline they are about security.

 

[ozzy47]

So again, what are they supposed to say? If they give a factual account as to what happened, they are exposing thousands of other sites to be hit by script kiddies.

 

[zaboca]

I don't think he has an issue specifically with the rest of their announcements but specifically with that opening statement. Where they basically outline how dedicated/serious they are about your account data and privacy and what measures they have in place, then within the same breath say how they still got breached. So does that mean your policies aren't effective? What are you going do about it?

Most of them then try to shift the blame entirely to the outdated scripts that were the entry point for the infiltrators, without even partially acknowledging "well we f**ked up, it is entirely our fault because we aren't as proactive as we thought" or "we realize we have to revise our update policies so as to prevent something like this happening again".

In other words, it's more like the first thing they try to do is clear themselves of any fault/wrongdoing before everything else. It's fine to say yes we take your information security seriously, but this time there was a lapse in judgement (or something).

This is a generalization, and as such does not apply to every breached site out there, to the sites that do acknowledge their staff are to blame kudos to you. It's just that even if the statement was included in a "proper" breach announcement, just because you're so accustomed to seeing it in situations as outlined above, it irks you all the same.