The Special SiteSplat Membership has launched! Check our In Da Club Plan 👌
  • Ars technica hacked - here’s what we know
  • News, Announcements, Feedback, Improvements, Changes and Policies.
News, Announcements, Feedback, Improvements, Changes and Policies.
 #4502  by ThemeSplat
 December 19th, 2014, 2:47 am
At 20:00 CT on December 14, an Internet intruder gained access to one of the Ars Web servers and spent the next hour attempting to get from the Web server to a more central machine. At 20:52, the attempt was successful thanks to information gleaned from a poorly located backup file. The next day, at 14:13, the hacker returned to the central server and replaced the main Ars webpage with a defacement page that streamed a song from the band Dual Core.

Log files show the hacker's movements through our servers and suggest that he or she had the opportunity to copy the user database. This database contains no payment information on Ars subscribers, but it does contain user e-mail addresses and passwords. Those passwords, however, are stored in hashed form (using 2,048 iterations of the MD5 algorithm and salted with a random series of characters).
12-18-2014 9-34-56 PM.png
12-18-2014 9-34-56 PM.png (72.36 KiB) Viewed 11993 times

This is what the current phpBB Project Manager replied:

It is a bit shocking how many commenters went from "I have seen md5 mentioned in prior articles a few times" to "I am an expert on cryptography and clearly Ars, phpBB, et al. don't know what they're doing and don't take security seriously." As a matter of fact, we take matters of security extremely seriously. PHPass was chosen because it is a very strong option that works on a wide range of setups. It is certainly getting the job done here with flying colors. If that weren't the case, neither phpBB nor Ars would be using it.

On our newest version, phpBB 3.1, there is support for bcrypt for an even stronger hash. We are more than happy to assist in any way we can to get Ars upgraded in due course.

Yuriy Rusko
Project Manager, phpBB


Source:
http://arstechnica.com/staff/2014/12/ar ... t-we-know/
 #4511  by ThemeSplat
 December 19th, 2014, 8:56 pm
Yes change it just to take extra caution...

PRENEXT_POST_NAVIGATION