http://securityratty.com/tag/bsdnews Fri, 25 Apr 2008 04:10:33 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/f933fe4ac705793824eb3c93ab71171c http://securityratty.com/article/f933fe4ac705793824eb3c93ab71171c Security Breach

Date Reported:
4/24/08 (This report was postponed for 24 hours to allow for the site administrator to respond and notify affected people)

Organization:
Daemon News*

*At the time of this writing, the Daemon News web site was not available.

Contractor/Consultant/Branch:
BSDNews.com**

**At the time of this writing, the BSDNews.com web site was not available.

Victims:
BSDNews.com members

Number Affected:
5498

Types of Data:
Username, password, email address, and in some cases real names

Breach Description:
It appears that the BSDNews.com web site may have been compromised through an exploit of a file named "bottom.php3", which was used by the site.  The attacker was able to access and download user account information.  As of the time of this writing, BSDNews.com is offline.

Reference URL:
Golden-Warez
Indonesia Underground Blog
Jim O'Gorman's Site

Report Credit:
Brought to the attention of The Breach Blog by Jim O'Gorman

Response:
From the online sources cited above:



"Hi all, maybe some of you, saw that bsdnews.com is/was offline.

I hacked their database, with an exploit found by myself.
I tried to submit to milw0rm, but they dont accept exploits of .php3 .

bottom.php3 , this file was vulnerability.

LOL, ok.. But i have their user database.
I dont want to waste my time to check the hole thing..

first word is username, second word is password, third word is email adress. B
By some lines the password,email is NULL.

Do what you want to do with it..
Please, if u think i didnt hacked it, search forums/google , you dont find anything

THIS IS MY FIRST RELEASE HERE!

i kept everything as i got it  so there can be info what is usefull

uploaded at my host"
[Evan] There is a link in this Golden-Warez post that leads to a compressed (.rar) file.  In the RAR there are two text files that each contain ~1000 records.  I don't generally suggest that people make it a habit to go to warez sites and download files.  If you are going to anyway, then don't claim that I told you to.



Commentary:
OK.  Some of you may be asking the question, so what?  The "hacker" only compromised usernames, email addresses and passwords allowing access to BSDNews.com, which doesn't store financial, health, or other personal information, right?  Well, kind of.  The problem is the fact that a password is itself confidential personal information.  According to some estimates, as many as 70% of people use the same or similar password for access to multiple or all sites that they use.  Take PayPal for instance.  This breach compromised email addresses and passwords.  If a person uses the same password at PayPal as they do at BSDNews.com, then a bad guy can easily access the PayPal account of the victim and wreak all kinds of havoc.  This is the issue.  Out of a claimed 5498 accounts, don't you think that there is a good chance that something like this will be the case with at least a few?

A couple of suggestions.  If you are one of the people that uses a single (or similar) password to access multiple online accounts, change this habit.  Use a different password for each account, especially the accounts that are sensitive like online banking, PayPal, etc.  If managing all of these passwords becomes a pain in the rear, then use a password management program such as Password Safe (Thank You Bruce Schneier) or RoboForm.  If you happen to be one of the many victims of this breach, change your passwords now and be aware.

Jim O'Gorman sent multiple emails to the site administrator(s) at BSDNews.com urging them to do the right thing and notify all affected persons.  It appears that this has not happened yet.  Jim shared the multiple emails back and forth between him and the site administrator(s).  We still have not seen an actual notification.  A special thanks to Jim for his awareness and diligent work to get a resolution!

Past Breaches:
Unknown

]]> Fri, 25 Apr 2008 04:10:33 +0000 bsdnews password password management program site administrator site password safe similar password similar email BSDNews.com is hacked and user information is exposed