Author Topic: Oops, FA Got Hacked (Again)  (Read 9113 times)

Conan

  • Postcount killed Trogdor
  • *****
  • Posts: 845
  • E-points: +44/-12
  • \(_o)/
    • View Profile
Re: Oops, FA Got Hacked (Again)
« Reply #20 on: May 20, 2016, 05:35:46 pm »
Quote
We have temporarily put the site into Read Only mode while we work on implementing additional security measures. We have just learned the attackers have access to personal user data, such as encrypted passwords and email addresses.

We will be making improvements to the login page and password reset tool to increase security on those pages. Once the changes are complete, we will provide instructions on how to reset your password. We apologize for the inconvenience.

FA confirmed for totally fucked.

N

  • Posts: 19
  • E-points: +1/-0
  • Filthy Animal Person
    • View Profile
Re: Oops, FA Got Hacked (Again)
« Reply #21 on: May 20, 2016, 06:45:32 pm »
Well, it didn't take long for their database security to be cracked. Was it also from 2008? People are complaining their other sites are getting hacked.

https://twitter.com/NanukBurr/status/733597003775496194
Quote
FYI: Users are reporting unauthorized access to accounts using the same password as their FA account. Take steps NOW to secure accounts.

I'm incredibly frustrated at how difficult this has been. First of all, even BEFORE users were posting screenshots of unauthorized access to other accounts they should have been taking proactive steps to rectify this. Second, what the fuck why did it only take a day to figure out what passwords were?! That really implies they're using a super outdated algorithm and that ain't cool.

I really do hope they send out a data breach email. If not because they might be legally required, because it's fucking good practice in a situation like this.

Ketsuban

  • *
  • Posts: 60
  • E-points: +7/-1
  • Initiated Rube
    • View Profile
Re: Oops, FA Got Hacked (Again)
« Reply #22 on: May 21, 2016, 06:54:38 pm »
Second, what the fuck why did it only take a day to figure out what passwords were?! That really implies they're using a super outdated algorithm and that ain't cool.

Apparently their, um, algorithm was this.

Code: [Select]
sha1(crypt(password, "d67c5cbf5b01c9f91932e3b8def5e5f8"))
In other words, FA's threat model was people armed with computers which were considered outdated a decade ago.

Pi

  • POOR IMPULSE CONTROL
  • Cabalistic Fuckhead
  • Posts like Kage drinks
  • ****
  • Posts: 657
  • E-points: +54/-12
  • <blink>yes hello</blink>
    • View Profile
    • Clan Spum userpage
Re: Oops, FA Got Hacked (Again)
« Reply #23 on: May 21, 2016, 09:05:10 pm »
Second, what the fuck why did it only take a day to figure out what passwords were?! That really implies they're using a super outdated algorithm and that ain't cool.

Apparently their, um, algorithm was this.

Code: [Select]
sha1(crypt(password, "d67c5cbf5b01c9f91932e3b8def5e5f8"))
In other words, FA's threat model was people armed with computers which were considered outdated a decade ago.

i already wrote about this on my LJ in fuckin 2011 i could go on, but,

nobody paid attention then, why would they pay attention now
"we did farts.  now we do sperm.  we are cutting edge." Theo DeRaadt

Gourd

  • Posts: 23
  • E-points: +1/-0
  • Uninitiated Rube
    • View Profile
Re: Oops, FA Got Hacked (Again)
« Reply #24 on: May 21, 2016, 10:08:35 pm »

Zzyzx

  • Posts: 8
  • E-points: +1/-0
  • How Do I Security?
    • View Profile
Re: Oops, FA Got Hacked (Again)
« Reply #25 on: May 22, 2016, 04:51:20 pm »
Too bad there haven't been any projects to, like, update FA's code or anything like that.

You must be new here.
Apparently sarcasm doesn't carry well online. x3

an Hoopoe

  • Postcount killed Trogdor
  • *****
  • Posts: 792
  • E-points: +37/-56
    • View Profile
Re: Oops, FA Got Hacked (Again)
« Reply #26 on: May 22, 2016, 05:17:22 pm »
Now there are forced password resets, which is screwing a lot of people because of no longer having access to old e-mail addresses, and artists who rely on FA for commissions to make a living or supplement their income are having it especially bad  e.g :


^
https://twitter.com/kalydali/status/734534556334850048


Vaerinn

  • Posts: 19
  • E-points: +2/-0
  • Cybernetic infovore
    • View Profile
Re: Oops, FA Got Hacked (Again)
« Reply #27 on: May 22, 2016, 07:59:39 pm »
Now there are forced password resets, which is screwing a lot of people because of no longer having access to old e-mail addresses, and artists who rely on FA for commissions to make a living or supplement their income are having it especially bad  e.g :


^
https://twitter.com/kalydali/status/734534556334850048

Not only that, but some users aren't actually getting emails at all from FA when trying to reset their passwords, so people are getting locked out even when they do have access to their old email addresses.

ProvincialTwit

  • Abuse Dept.
  • Admin
  • Postcount killed Trogdor
  • *****
  • Posts: 833
  • E-points: +79/-35
    • View Profile
Re: Oops, FA Got Hacked (Again)
« Reply #28 on: May 22, 2016, 09:05:12 pm »
Well serves 'em right for not, y'know, bailing sooner when it wasn't an emergency.

Conan

  • Postcount killed Trogdor
  • *****
  • Posts: 845
  • E-points: +44/-12
  • \(_o)/
    • View Profile
Re: Oops, FA Got Hacked (Again)
« Reply #29 on: May 22, 2016, 10:10:34 pm »
There is now a very annoying CAPTCHA present on the login page which is present no matter what. This has the "convenient" side effect of disabling FurryNetwork's importer script.


Dragoneer is committed to adding "additional securities" and I imagine that will entail breaking whatever FurryNetwork is working on to get around the CAPTCHA.

camellia sinensis

  • Winner: Worst Username on Viv 2011
  • **
  • Posts: 126
  • E-points: +36/-4
  • Drink me
    • View Profile
Re: Oops, FA Got Hacked (Again)
« Reply #30 on: May 23, 2016, 11:58:07 am »
Well serves 'em right for not, y'know, bailing sooner when it wasn't an emergency.
Multiple people have tried in the past, but since most of the patronage stayed on FA, it didn't matter.

Oh, but if we're just talking about reasons to be smug, yeah, what a bunch of idiots.

Kirune

  • Connoisseur of Cock
  • *
  • Posts: 36
  • E-points: +4/-6
  • hokay
    • View Profile
Re: Oops, FA Got Hacked (Again)
« Reply #31 on: May 23, 2016, 04:57:57 pm »
Well serves 'em right for not, y'know, bailing sooner when it wasn't an emergency.
Multiple people have tried in the past, but since most of the patronage stayed on FA, it didn't matter.

Oh, but if we're just talking about reasons to be smug, yeah, what a bunch of idiots.

a fandom is what people make of it
turns out, furries are mostly bad and dumb.

rodox_video

  • Posts like Kage drinks
  • ****
  • Posts: 640
  • E-points: +61/-14
  • HURF DURF DUH BLUH
    • View Profile
Re: Oops, FA Got Hacked (Again)
« Reply #32 on: May 24, 2016, 09:50:10 am »
if we have to stick to terrible sites run by terrible people because it pays our bills, then perhaps we are not having fun anymore
Zeriara is part of a series on Whores.

SDAC

  • Posts: 14
  • E-points: +0/-0
    • View Profile
Re: Oops, FA Got Hacked (Again)
« Reply #33 on: May 24, 2016, 03:30:09 pm »
Whoever has a copy of the FA database put up a Tor hidden service at http://fapassap77jfeffk.onion. (If you're a non-freak, you can try it at https://fapassap77jfeffk.onion.to/)

This lets you see what email address you registered for FA with, the last known email you used for FA, and whether your password is unique or not (this implies the attacker has already cracked all the password hashes they have, and tested them)

Zzyzx

  • Posts: 8
  • E-points: +1/-0
  • How Do I Security?
    • View Profile
Re: Oops, FA Got Hacked (Again)
« Reply #34 on: May 24, 2016, 04:47:33 pm »
Whoever has a copy of the FA database put up a Tor hidden service at http://fapassap77jfeffk.onion. (If you're a non-freak, you can try it at https://fapassap77jfeffk.onion.to/)

This lets you see what email address you registered for FA with, the last known email you used for FA, and whether your password is unique or not (this implies the attacker has already cracked all the password hashes they have, and tested them)
Well, it implies they have the hashes, at least. You can compare hashes to tell if they're unique, especially since I doubt FA was using a good salt, if any. But since FA's passwords have been published before, I wouldn't be surprised if the database was trivial to access or if passwords were stored in the clear somewhere.

Folseh

  • *
  • Posts: 34
  • E-points: +3/-0
  • Uninitiated Rube
    • View Profile
Re: Oops, FA Got Hacked (Again)
« Reply #35 on: May 24, 2016, 09:20:13 pm »
Whoever has a copy of the FA database put up a Tor hidden service at http://fapassap77jfeffk.onion. (If you're a non-freak, you can try it at https://fapassap77jfeffk.onion.to/)

This lets you see what email address you registered for FA with, the last known email you used for FA, and whether your password is unique or not (this implies the attacker has already cracked all the password hashes they have, and tested them)
huh, out of 5 FA accounts I have, only one had its password shared with 14 other people

Pi

  • POOR IMPULSE CONTROL
  • Cabalistic Fuckhead
  • Posts like Kage drinks
  • ****
  • Posts: 657
  • E-points: +54/-12
  • <blink>yes hello</blink>
    • View Profile
    • Clan Spum userpage
Re: Oops, FA Got Hacked (Again)
« Reply #36 on: May 24, 2016, 09:44:17 pm »
there is a lot of misinformation out there about how FA stores its passwords, let me try and clear it up

As of 2011, and vaguely covered on my lj, FA had 2 password hashing schemes. We'll call them Bozo and Krusty.

Bozo used 128 rounds of OpenBSD's password hash, and the same salt for every user. The use of OpenBSD's $2a$ crypt makes an attacker's job slightly harder, in that more computation is necessary to crack a single password. Using the same salt, however, makes the attacker's job easier: if FA used a salt per user, a dictionary/precomputation attack wouldn't work (it'd take up too much space), nor would someone be able to tell if you used the same password as another user.

Krusty fixed the salt problem, kinda. It kept using a static salt, but it also salted a per-user string along with a hash of your password. But then it goes and uses 1 round of a hash that nobody's ever heard of, or uses, called WHIRLPOOL. This makes an attacker's job EXTREMELY easy, because now it's just 2 hash operations: once to MD5 your password, and then once to WHIRLPOOL the two salts and your password. Compare that to the 128 rounds Bozo used, and suddenly the fact that they got salting right is unimportant, because you can brute-force 64 times as many passwords in a given amount of time. And that's assuming a full round of Krusty costs the same amount of CPU time as 1 of the 128 rounds in OpenBSD's hash.

So, someone can check the unsalted hash to see if your password is the same as someone else's thanks to Bozo, and someone can massively parallelize a brute-force attack against the database thanks to Krusty. Now they're using bcrypt, which is impossible to fuck up. Unless you put it into place after a massive database leak... Oh.
« Last Edit: May 24, 2016, 11:23:32 pm by Pi »
"we did farts.  now we do sperm.  we are cutting edge." Theo DeRaadt

nrr

  • Sean Piche Fan Club
  • Cabalistic Fuckhead
  • **
  • Posts: 125
  • E-points: +8/-3
  • OMG SO CUTE ^__^
    • View Profile
Re: Oops, FA Got Hacked (Again)
« Reply #37 on: May 25, 2016, 03:02:59 am »
Apparently sarcasm doesn't carry well online. x3

In other news, water is wet.

So, someone can check the unsalted hash to see if your password is the same as someone else's thanks to Bozo, and someone can massively parallelize a brute-force attack against the database thanks to Krusty.

Why oh why could this not have happened _before_ the DEFCON CFP had already closed this year?
im glad the "I saw a furry IRL" thread is so good at bringing goons together

YOUR PARTICIPLES AREN'T THE ONLY THINGS DANGLING

Conan

  • Postcount killed Trogdor
  • *****
  • Posts: 845
  • E-points: +44/-12
  • \(_o)/
    • View Profile
Re: Oops, FA Got Hacked (Again)
« Reply #38 on: May 25, 2016, 04:03:40 am »
Whoever has a copy of the FA database put up a Tor hidden service at http://fapassap77jfeffk.onion. (If you're a non-freak, you can try it at https://fapassap77jfeffk.onion.to/)

This lets you see what email address you registered for FA with, the last known email you used for FA, and whether your password is unique or not (this implies the attacker has already cracked all the password hashes they have, and tested them)

This tool also provides a fun way of auditing FA's internal security policies.

Some five years ago, FurAffinity suffered from several high-profile account intrusions due to various password leaks from other sites. One of these events was the intrusion of then-admin Rhainor's account which was pulled off by someone getting into Rhainor's Gmail account and social engineering another admin to reset his password.

I seem to recall discussion after that event indicating that FA was developing some rudimentary security policies regarding email. Certainly, one policy that should have been considered in a situation like that is for staff to not be allowed to use their personal email accounts as their FA account's email address. Since FA operated it's own mail server at the time, it should not have been difficult to implement such policy, giving them FA email accounts operated from a server where account passwords could not be automatically reset.

Fast forward to the present, and we now have a tool to not only see what email addresses the administrator accounts were using, but also show us an indication of how secure their password was.

Let's start with the top brass.


Dragoneer gets points for using his @furaffinity.net email address, but loses 10000 points for using the same password as the Fender account.


Chase scores lowly even though the bar isn't set that high. Not only is he using a password that 8 other accounts use (suggesting he has many alts/socks or an easy-to-crack password), he also is using his Gmail account. Tsk.


Sciggles is just as bad as Chase. Once again we have a personal Gmail account and several accounts sharing the password, though I have a hunch those are sockpuppet accounts, since that just seems like the kind of thing Sciggles would do. Her primary account actually preforms better with a unique password.

As for the administrators...


AsiaNeko is using a Gmail account too.... But at least has a unique password.


QuotingMungo is just... A hot mess. Livejournal? Really?


FoxAmoore doesn't even have an email address on file, meaning it's possible his account could not have it's password reset without the intervention of another admin. He's also using a unique password.

The technical team does about as well as you'd expect.


Yak is using a personal email. Go figure.


Net-cat has no email on file and a unique password.


Pickra is the loser in the FA Account Security golfcart races. An AIM email address and a password that, judging by the number of people using it, may very well be the fabled popular "dragon" password.

Finally, we can take a look at those "anonymous" moderator accounts...




Oh cool, all the moderator accounts share the same gmail account. And whoever Moderator-Gryphon is seems to have trouble with coming up with a password that other people aren't using.


Now, put on those tinfoil hats, because it's conspiracy time!
Remember that time Dragoneer was caught sockpuppeting as "Firepyro"? well, he may have been sockpuppeting as other accounts at the time.


Hm, interesting... "G**a", that couldn't be...

Oh, but it is. Somehow, an impostor account calling itself "Giza" (One of Sean's old time rivals from the Olive Garden Incident and Anthrocon) has the same password as Firepyro, which was known to have been accessed by Dragoneer.

Make of that what you will.
« Last Edit: May 25, 2016, 05:41:36 am by Conan »

nrr

  • Sean Piche Fan Club
  • Cabalistic Fuckhead
  • **
  • Posts: 125
  • E-points: +8/-3
  • OMG SO CUTE ^__^
    • View Profile
Re: Oops, FA Got Hacked (Again)
« Reply #39 on: May 25, 2016, 04:25:19 am »
The Firepyro account posted a journal just 5 hours later:

Check your dates, broseph.

I'd say that these hackers are so smart that FA should hire them, but I don't think even the hackers deserve that kind of punishment.

I'll admit that this garnered a chuckle from me. Well done.
im glad the "I saw a furry IRL" thread is so good at bringing goons together

YOUR PARTICIPLES AREN'T THE ONLY THINGS DANGLING