EEVblog Electronics Community Forum

General => General Technical Chat => Topic started by: G7PSK on June 08, 2012, 01:09:46 pm

Title: Apache software security
Post by: G7PSK on June 08, 2012, 01:09:46 pm

Does any one know what software is behind this site as three sites including LinkedIn have now been hacked and passwords accessed they all run on Apache based software so the security flaw could be there. So I was wondering what the security risk is on this site.

http://www.lse.co.uk/FinanceNews.asp?ArticleCode=qrmuj0emrqq615b&ArticleHeadline=UPDATE_1LinkedIn_works_with_FBI_on_password_theft (http://www.lse.co.uk/FinanceNews.asp?ArticleCode=qrmuj0emrqq615b&ArticleHeadline=UPDATE_1LinkedIn_works_with_FBI_on_password_theft)


http://www.huffingtonpost.co.uk/2012/06/08/lastfm-hit-by-password-leak_n_1580012.html?icid=maing-grid7%7Cuk%7Cdl1%7Csec3_lnk4%26pLid%3D112160 (http://www.huffingtonpost.co.uk/2012/06/08/lastfm-hit-by-password-leak_n_1580012.html?icid=maing-grid7%7Cuk%7Cdl1%7Csec3_lnk4%26pLid%3D112160)

Title: Re: Apache software security
Post by: PeterG on June 08, 2012, 01:18:28 pm

Apache is the most used web server package in use today so it is no surprise these sites used it for there base web server platform.

Regards

Title: Re: Apache software security
Post by: Stephen Hill on June 08, 2012, 01:20:54 pm

The main problem was that they stored their passwords hashed with the SHA1 algorithm but without a salt. This makes all the passwords decryptable.

You should always hash passwords with a salt so that it's hard/impossibe to decrypt.

Title: Re: Apache software security
Post by: Stephen Hill on June 08, 2012, 01:22:41 pm

Also, it's not known at this stage how they go access but I bet it was due to human error (easy to guess username/password or poor application code) rather than any security vulnerability of their software stack. (although not impossible to rule out).

Title: Re: Apache software security
Post by: AntiProtonBoy on June 08, 2012, 02:08:50 pm

20K samples of the leaked passwords: http://pastebin.com/JmtNxcnB (http://pastebin.com/JmtNxcnB)

These are added to a massive password database which is then resold for dictionary attack purposes.

Here is a more comprehensive lists: http://dazzlepod.com/site_media/txt/passwords.txt (http://dazzlepod.com/site_media/txt/passwords.txt) (NOTE: 20 MB text file). If your password appears on the list, irrespective whether you use Linked-in, Last FM, or some other service etc., change your password immediately.