Ubuntu Forums Back Online Following Large Hack

Ubuntu Banner

A little over a week ago we reported on the fact that the Ubuntu Forums have been subjected to quite a large and unfortunately successful hack. Since then the Ubuntu Forums team have been working hard to not only restore service, but to bolster the sites security as well.

What happened?

Well, basically the hacker exploited a security flaw in vBulletin, the software that the Ubuntu Forums use. This exploit meant that the hacker had full administrative access to vBulletin as well as SSH access to the Ubuntu Forums web folders. This allowed them to download the username, email address and hashed password of all 1.82 million Ubuntu Forums users (including myself).

In summary, the root cause was a combination of a compromised individual account and the configuration settings in vBulletin, the Forums application software. There was no compromise of Ubuntu itself, or any other Canonical or Ubuntu services. We have repaired and hardened the Ubuntu Forums, and as the problematic settings are the default behaviour in vBulletin, we are working with vBulletin staff to change and/or better document these settings.

If you want a much more detailed conclusion about what happened, and a full post-mortem description of the whole process then take a look at this post on the Canonical blog.

Is the problem fixed?

In short, yes. The Ubuntu Forums team have made a raft of changes in order to harden the Ubuntu Forums from further attacks, here is a list of changes made that has been taken directly from their post-mortem blog post:

  • We’ve removed the ability to modify or add new hooks except via root access to the database
  • We’ve disabled all potential HTML posting avenues in the Forums for everyone but administrators.
  • We’ve switched the Forums to use Ubuntu SSO for user authentication.
  • We’ve implemented automated expiry of inactive moderator and administrator accounts.
  • We’ve confined vBulletin with an AppArmor profile.
  • We’ve reviewed and further hardened the firewalling around the Forums servers.
  • We’ve reviewed and further hardened the PHP config on the server to close off some vectors used by the attacker.
  • We’ve switched to forcing HTTPS for the administrator and moderator control panels and made it optionally available everywhere else
  • We’ve improved escalation procedures for the Ubuntu Community members who graciously volunteer their time to administer and moderate the Forums.
  • We will continue to work with vBulletin staff to discuss changes to the default settings which could help others avoid similar scenarios as this. The vBulletin support staff have been helpful and cooperative throughout this incident.

 

I’m an Ubuntu Forums user. Do I need to do anything?

YES! Even though the hackers only gained access to hashed versions of user passwords, it’s only a matter of time before they crack the encryption algorithm, if they haven’t done so already. So if you’re using the password you have on the Ubuntu Forums anywhere we urge you to change those passwords as soon as possible.

If you change no other account password, please ensure that you change your password for your email account if it uses the same password as that of the Ubuntu Forums. If this password is the same and a hacker gets into your email account, they can lock you out of your own emails then generate password reset emails for all of your online accounts. Don’t believe me? Ask Mat Honan.

If you find it hard to manage different passwords then it may be worth singing up for a password manager like LastPass. I personally use LastPass and I can’t recommend it highly enough. You can also setup 2-factor authentication on Gmail.

Conclusion

All in all normal service seems to have resumed on the Ubuntu Forums and Canonical have taken steps to ensure that this kind of thing doesn’t happen again. However, no website is 100% immune to attack. To use the Ubuntu Forums again you will need to setup Ubuntu Single Sign On (SSO). If you’re not sure what this is all about then there is more information about SSO here.

This is a perfect example of how hackers can compromise even the largest of web sites. No one is 100% immune, but using systems like LastPass and 2-factor authentication you can limit your exposure should you find yourself in this unfortunate position?

Do you have any hack stories? We would love to hear them in the comments section below.

Ubuntu Forums Back Online Following Large Hack
User Rating: 0 (0 votes)